Las Vegas: Even the human bloodstream isn`t
safe from computer hackers.
A security researcher who is diabetic has identified
flaws that could allow an attacker to remotely control insulin
pumps and alter the readouts of blood-sugar monitors. As a
result, diabetics could get too much or too little insulin, a
hormone they need for proper metabolism.
Jay Radcliffe, a diabetic who experimented on his own
equipment, shared his findings with The Associated Press
before releasing them today at the Black Hat computer security
conference in Las Vegas.
"My initial reaction was that this was really cool
from a technical perspective," Radcliffe said. "The second
reaction was one of maybe sheer terror, to know that there`s
no security around the devices which are a very active part of
keeping me alive."
Increasingly, medical devices such as pacemakers,
operating room monitors and surgical instruments including
deep-brain stimulators are being made with the ability to
transmit vital health information from a patient`s body to
doctors and other professionals. Some devices can be remotely
controlled by medical professionals.
Although there`s no evidence that anyone has used
Radcliffe`s techniques, his findings raise fears about the
safety of medical devices as they`re brought into the Internet
age. Serious attacks have already been demonstrated against
pacemakers and defibrillators.
Medical device makers downplay the threat from such
attacks. They argue that the demonstrated attacks have been
performed by skilled security researchers and are unlikely to
occur in the real world.
Though there has been a push to automate medical
devices and include wireless chips, the devices are typically
too small to house processors powerful enough to perform
advanced encryption to scramble their communications. As a
result, most devices are vulnerable.
Radcliffe wears an insulin pump that can be used with
a special remote control to administer insulin. He found that
the pump can be reprogrammed to respond to a stranger`s
remote. All he needed was a USB device that can be easily
obtained from eBay or medical supply companies. Radcliffe also
applied his skill for eavesdropping on computer traffic. By
looking at the data being transmitted from the computer with
the USB device to the insulin pump, he could instruct the USB
device to tell the pump what to do.
Radcliffe also found that it was possible to tamper
with a second device he wears. He found that he could
intercept signals sent wirelessly from a sensor to a machine
that displays blood-sugar levels. By broadcasting a signal
that is stronger than the real-time, authentic readings, the
monitor would be tricked into displaying old information over
and over. As a result, a patient who didn`t notice wouldn`t
adjust insulin dosage properly.
With a powerful enough antenna, Radcliffe said, an
attacker could be up to half a mile away. This attack worked
on two different blood-sugar monitors, Radcliffe said.
Few public studies have been done on the
susceptibility of medical devices to hacking.
One such study, which appeared in 2008 from a
consortium of academics, found that a popular type of device
that acted as both a pacemaker and defibrillator could be
remotely reprogrammed to deliver potentially deadly shocks or
run out its battery.