Insulin pumps, monitors vulnerable to hacking

By JORDAN ROBERTSON , AP Technology Writer

(AP) -- Even the human bloodstream isn't safe from computer hackers.

A security researcher who is diabetic has identified flaws that could allow an attacker to remotely control insulin pumps and alter the readouts of blood-sugar monitors. As a result, diabetics could get too much or too little insulin, a hormone they need for proper metabolism.

Jay Radcliffe, a diabetic who experimented on his own equipment, shared his findings with The Associated Press before releasing them Thursday at the Black Hat in Las Vegas.

"My initial reaction was that this was really cool from a technical perspective," Radcliffe said. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."

Increasingly, medical devices such as , operating room monitors and surgical instruments including deep-brain stimulators are being made with the ability to transmit vital health information from a patient's body to doctors and other professionals. Some devices can be remotely controlled by medical professionals.

Although there's no evidence that anyone has used Radcliffe's techniques, his findings raise fears about the safety of medical devices as they're brought into the Internet age. Serious attacks have already been demonstrated against pacemakers and defibrillators.

Medical device makers downplay the threat from such attacks. They argue that the demonstrated attacks have been performed by skilled security researchers and are unlikely to occur in the real world.

But hacking is like athletics. Showing that a far-fetched attack is possible is like cracking the 4-minute mile. Once someone does it, others often follow. Free or inexpensive programs eventually pop up online to help malicious hackers automate obscure attacks.

Though there has been a push to automate medical devices and include wireless chips, the devices are typically too small to house processors powerful enough to perform advanced encryption to scramble their communications. As a result, most devices are vulnerable.

Radcliffe wears an insulin pump that can be used with a special remote control to administer insulin. He found that the pump can be reprogrammed to respond to a stranger's remote. All he needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.

Radcliffe, who is 33 and lives in Meridian, Idaho, tested only one brand of insulin pump - his own - but said others could be vulnerable as well.

Although an attacker would need to be within a couple hundred feet of the patient to pull this off, a stranger wandering a hospital or sitting behind a target on an airplane would be close enough.

Radcliffe also found that it was possible to tamper with a second device he wears. He found that he could intercept signals sent wirelessly from a sensor to a machine that displays blood-sugar levels. By broadcasting a signal that is stronger than the real-time, authentic readings, the monitor would be tricked into displaying old information over and over. As a result, a patient who didn't notice wouldn't adjust insulin dosage properly.

With a powerful enough antenna, Radcliffe said, an attacker could be up to half a mile away. This attack worked on two different blood-sugar monitors, Radcliffe said.

"Everybody's pushing the technology to do more and more and more, and like any technology that's pushed like that, security is an afterthought," Radcliffe said.

Radcliffe refused to identify any of the three device makers, in part out of concern for his own safety. He is concerned that the devices don't appear to have an easy way to be updated with new software to fix the problems. He said he intends to notify the manufacturers after Thursday's presentation outlining the weaknesses.

The hacking fears come on top of human errors and technical glitches tied to medical devices. The U.S. Food and Drug Administration has identified software and design errors as critical concerns in investigating hundreds of deaths potentially linked to drug pumps.

FDA officials declined to comment specifically on Radcliffe's findings, saying they hadn't seen the research. But the FDA said that any medical device with wireless communication components can fall victim to eavesdropping. It warns device makers that they are responsible for making sure they can update equipment after it's sold.

Industry officials downplay the potential threat.

"The risk to a patient with diabetes of having their monitors hacked is extraordinarily small, and there's a great health risk of not monitoring than the risk of being hacked," said Wanda Moebius, a vice president at the Advanced Medical Technology Association, an industry group.

Few public studies have been done on the susceptibility of medical devices to hacking.

One such study, which appeared in 2008 from a consortium of academics, found that a popular type of device that acted as both a pacemaker and defibrillator could be remotely reprogrammed to deliver potentially deadly shocks or run out its battery.

The problem was the way the device transmitted data unencrypted and accepted commands wirelessly from unauthorized devices. One limitation of the study was that researchers only examined an attack from a few centimeters away from the targeted device.

Yoshi Kohno, a University of Washington professor of computer science who was a co-author of that study, said that Radcliffe's new research reinforces the urgency of addressing security issues in before attacks move out of research labs.

"The threat hasn't manifested yet, so what they and we are trying to do is see what the risk could be in the future," said Kohno, who wasn't part of Radcliffe's research.

Radcliffe said the point of his research is not to alarm people. He said the issues he's discovered are important to address publicly as the medical industry moves aggressively toward more networked devices.

"It would only take one person to do this to kill someone and then you have a catastrophe," he said.

not rated yet
add to favorites email to friend print save as pdf

Related Stories

FDA aims to accelerate medical device reviews

Feb 08, 2011

(AP) -- Federal health officials have proposed a plan that would speed up the approval of innovative medical devices that hold the potential to dramatically improve patients' lives.

Protecting medical implants from attack

Jun 13, 2011

Millions of Americans have implantable medical devices, from pacemakers and defibrillators to brain stimulators and drug pumps; worldwide, 300,000 more people receive them every year. Most such devices have ...

Wireless drug control

Feb 06, 2009

Electronic implants that dispense medicines automatically or via a wireless medical network are on the horizon. Australian and US researchers warn of the security risks in a forthcoming issue of the International Journal of ...

FDA medical device approvals get external review

Sep 23, 2009

(AP) -- The Food and Drug Administration is asking the government's top medical advisers to review its system for approving certain types of medical devices, which has been criticized by safety advocates and government watchdogs.

FDA wants stricter testing for defibrillators

Jan 21, 2011

(AP) -- The Food and Drug Administration is recommending stricter safety measures for heart-zapping defibrillators after years of increasing problems with the emergency medical devices.

Recommended for you

Growing a blood vessel in a week

Oct 24, 2014

The technology for creating new tissues from stem cells has taken a giant leap forward. Three tablespoons of blood are all that is needed to grow a brand new blood vessel in just seven days. This is shown ...

Testing time for stem cells

Oct 24, 2014

DefiniGEN is one of the first commercial opportunities to arise from Cambridge's expertise in stem cell research. Here, we look at some of the fundamental research that enables it to supply liver and pancreatic ...

Team finds key signaling pathway in cause of preeclampsia

Oct 23, 2014

A team of researchers led by a Wayne State University School of Medicine associate professor of obstetrics and gynecology has published findings that provide novel insight into the cause of preeclampsia, the leading cause ...

Rapid test to diagnose severe sepsis

Oct 23, 2014

A new test, developed by University of British Columbia researchers, could help physicians predict within an hour if a patient will develop severe sepsis so they can begin treatment immediately.

User comments

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
1 / 5 (1) Aug 04, 2011
The risk to a patient with diabetes of having their monitors hacked is extraordinarily small, and there's a great health risk of not monitoring than the risk of being hacked

This is a false dichotomy if ever I saw one. The alternative not being hacked is not to forego monitoring. It is to increase security.

Since the data passed between monitor and insulin pump is not much over the lifetime of the devices and they only need to transmit stuff in 'clear' when interfacing with special hospital hardware it's perfectly simple to upload both with a set of random numbers for completely unhackable one-time-pad functionality.
antonima
not rated yet Aug 04, 2011
I agree that its important to increase security, but frankly, if it wasn't for this one researcher and his publicist, NO ONE WOULD KNOW ABOUT IT. And now, hundreds of thousands if not millions of tech interested persons have the information. Good going, assholes! I'm sure you'll get a grant now!
antialias_physorg
1 / 5 (1) Aug 04, 2011
NO ONE WOULD KNOW ABOUT IT

Not true. Just yesterday my coworkers and I were discussing this very problem over lunch (I work for a company that develops hardware/software for the medical industry - albeit not such vital/security sensitive stuff).
The lack of security in such devices is known to anyone working in that area.

What you advocate is called 'security by obscurity' which is widely derided as the worst form of security possible.