LAS VEGAS — A security researcher who is diabetic has identified flaws that could allow an attacker to remotely control insulin pumps and alter the readouts of blood-sugar monitors. As a result, diabetics could get too much or too little insulin, a hormone they need for proper metabolism.
Jay Radcliffe, who is 33 and lives in Meridian, Idaho, experimented on his own equipment and shared his findings with The Associated Press before releasing them Thursday at the Black Hat computer-security conference in Las Vegas.
“My initial reaction was that this was really cool from a technical perspective,” Radcliffe said. “The second reaction was one of maybe sheer terror, to know that there’s no security around the devices, which are a very active part of keeping me alive.”
Increasingly, medical devices such as pacemakers, operating-room monitors and surgical instruments, including deep-brain stimulators, are made with the ability to transmit vital health information from a patient’s body to doctors and other professionals. Some devices can be remotely controlled by medical professionals.
Although there’s no evidence that anyone has used Rad cliffe’s techniques, his findings raise concerns about the safety of medical devices as they’re brought into the Internet age. Serious attacks have already been demonstrated against pacemakers and defibrillators.
Medical-device makers play down the threat from such attacks, saying the demonstrated attacks have been performed by skilled security researchers and are unlikely to occur in the real world.
Though there has been a push to automate medical devices and include wireless chips, the devices are typically too small to house processors powerful enough to perform advanced encryption to scramble their communications. As a result, most devices are vulnerable.
Radcliffe wears an insulin pump that can be used with a special remote control to administer insulin. He found that the pump can be reprogrammed to respond to a stranger’s remote. All he needed was a USB device that can be easily obtained from eBay or medical-supply companies.
Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.
