Black hat hacker can remotely attack insulin pumps and kill people
- As if we didn't already have enough to be neurotic about, a man at the Black Hat Technical Security Conference gave a presentation detailing how he could take control of insulin pumps from miles away and kill his victims.
Take a minute to panic. Now keep reading.
Jerome Radcliffe is a diabetic. The nefarious hack he presented at the conference Thursday was a response to his condition. "I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor,"said Radcliffe. He said that the devices turned him into a supervisory control and data acquisition (SCADA) system.
Out of fear for his own safety he wanted to see if he could hack into these wireless medical devices. As a senior threat intelligence analyst for a major computer security organization, it only made sense that he would test his own defense against hackers.
His presentation, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," details his journey to reverse engineer the life-saving and potential life-threatening devices.
Although there's no evidence that anyone has used Radcliffe's techniques, his findings raise fears about the safety of medical devices as they're brought into the Internet age. Serious attacks have already been demonstrated against pacemakers and defibrillators.
Radcliffe wears an insulin pump that can be used with a special remote control to administer insulin. He found that the pump can be reprogrammed to respond to a stranger's remote. All he needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.
Radcliffe, who is 33 and lives in Meridian, Idaho, tested only one brand of insulin pump - his own - but said others could be vulnerable as well.
Although an attacker would need to be within a couple hundred feet of the patient to pull this off, a stranger wandering a hospital or sitting behind a target on an airplane would be close enough.
Radcliffe also found that it was possible to tamper with a second device he wears. He said he could intercept signals sent wirelessly from a sensor to a machine that displays blood-sugar levels. By broadcasting a signal that is stronger than the real-time, authentic readings, the monitor would be tricked into displaying old information over and over. As a result, a patient who didn't notice wouldn't adjust insulin dosage properly.
With a powerful enough antenna, Radcliffe said, an attacker could be up to a half a mile away. This attack worked on two different blood-sugar monitors.
"The threat hasn't manifested yet, so what they and we are trying to do is see what the risk could be in the future," said Yoshi Kohno, a University of Washington professor who wasn't a part of Radcliffe's research.
Radcliffe said the point of his research is not to alarm people. He said the issues he's discovered are important to address publicly as the medical industry moves aggressively toward more networked devices.
"It would only take one person to do this to kill someone and then you have a catastrophe," he said.
No comments:
Post a Comment