Insulin pumps are vulnerable to determined hackers who could also remotely mess up the readings of blood-sugar monitors, Jerome Radcliffe, a security researcher who has diabetes revealed at the Black Hat computer security conference, Las Vegas, Nevada. In other words, a hacker could cause a diabetic patient to receive either too much or too little insulin.
Radcliffe says he experimented on his own equipment. He suspects that other brands are probably just as vulnerable.
Radcliffe said:
“My initial reaction was that this was really cool from a technical perspective,” Radcliffe said. “The second reaction was one of maybe sheer terror, to know that there’s no security around the devices which are a very active part of keeping me alive.”
A growing number of medical devices these days are hooked up to communication systems so that doctors and other professionals can be involved in a patient’s care from a distance. Examples include pacemakers, operating room monitors, and ICU equipment. In fact, some of these devices can be remotely controlled.
So far, there have been no reports of hackers messing with medical devices used by diabetics. However, Radcliffe’s findings should be of concern to medical device makers and those who buy and use them – the potential is there.
Even though attacks have been demonstrated on some devices, such as defibrillators and pacemakers, medical device companies say that these have been done by skilled professionals and cannot occur outside laboratory conditions. Perhaps they should check out the skills of some hackers around the world, some people have suggested.
For hackers, hacking is a goal to reach. If medical devices come into their sights, and one person manages to mess with things, others might follow suit, even offering new programs for more sophisticated attacks.
Experts say most devices are vulnerable. Most devices do not have advanced processors which could include sophisticated encryptions.
Radcliffe, 33, from Meridian, Idaho, wears an insulin pump. It can be used with a remote control to administer insulin. After some effort, he was able to reprogram it so that it would respond to another remote. He did that with a USB device which can be easily bought from medical suppliers, or even eBay. He could see what data the computer with the USB device was transmitting to the insulin pump – by tweaking with the USB device he could make the pump do more or less whatever he wanted.
The hacker needs to be within about two hundred feet from the patient, plenty of distance for somebody walking around inside a hospital.
Radcliffe says other devices used by diabetes patients can also be altered remotely.
Scientists at the Massachusetts Institute of Technology and University of Massachusetts are developing jammers that can be worn – they claim they would defend medical devices from the hacker’s signals. Some have asked whether this might not also stop doctors from doing their work remotely.
Written by Christian Nordqvist