A security researcher who is diabetic has identified flaws that could allow an attacker to remotely control insulin pumps and alter the readouts of blood-sugar monitors. As a result, diabetics could get too much or too little insulin, a hormone they need for proper metabolism.

Jay Radcliffe, a diabetic who experimented on his own equipment, shared his findings with The Associated Press before releasing them Thursday at the Black Hat computer security conference in Las Vegas.

“My initial reaction was that this was really cool from a technical perspective,” Radcliffe said. “The second reaction was one of maybe sheer terror, to know that there’s no security around the devices which are a very active part of keeping me alive.”

Increasingly, medical devices such as pacemakers, operating room monitors and surgical instruments including deep-brain stimulators are being made with the ability to transmit vital health information from a patient’s body to doctors and other professionals. Some devices can be remotely controlled by medical professionals.

Although there’s no evidence that anyone has used Radcliffe’s techniques, his findings raise fears about the safety of medical devices as they’re brought into the Internet age. Serious attacks have already been demonstrated against pacemakers and defibrillators.

I hear their next competition will be to see who can use a wifi nursery monitor to electrocute an infant.




  1. MadTruckMan says:

    Everyone laughs, but another prime of example of ‘Just because you can, doesn’t mean you should’….

  2. bobbo, you just can't trust machines says:

    Reminds me of the high death rate on the ICU ward. Nothing corelated to nothing except the huge spike on night shift but months long medical chart reviews showed nothing. Then the intrepid junior investigtor just got some comic books and a thermos of coffee and sat on the ward a few evenings.

    You all should know where this is going?

    Yep, mexican house cleaners where unplugging drips and breathers to do the vacuuming. Why didn’t the alarms go off?

    Didn’t I say the machines were unplugged?

    Ha, ha. Silly rabbits.

  3. NobodySpecial says:

    This is terrible – a much better approach would be to keep it secret and not force the manufacturers to build in some sort of encryption.

    It’s like announcing that Ford fuel tanks explode – that could help terrorists – much better to keep it a little secret between Ford and the occasional victim

  4. Pays2Think says:

    Not very inventive. In fact downright boring. I mean where’s the challenge in hacking a defenseless piece of medical equipment. Is that the best they can do. Why not do something that helps the citizens of the world. With all the skullduggery out there, defenseless medical devices, really!

  5. Somebody says:

    I think Anonymous should try to get the kill-code etc. for Limbaugh’s brain implant.

    Think what fun you could have if you could directly feed your messages to the “Golden EIB Microphone”.

  6. omfgoats says:

    I swear there was an episode of Law and Order back in the early 90s that had an insulin monitor being hacked and people dying of Insulin overdoses.

  7. Miguel says:

    In other news, hackers found a way to hack CASIO and TIMEX quartz wristwatches, making them give the wrong time and causing a new wave of unemployment and divorces…

  8. msbpodcast says:

    The easiest way to eliminate all of this debate about healthcare is to eliminate the need for it by eliminating the people who use it.

    One of the best way is to make and leave the devices open to hacking.

    Imagine the bragging rights for some Indochinese Islamist geek to claim to have taken down a US hospital chain’s infant monitors and left the children of rich white heathens to die in wards across the country, or to have hacked a dozen defibrillators to deliver under-voltage shocks. (You don’t need to hack them all, just enough to prompt a company crippling recall, on top of a dozen deaths.)

    That would take care of the shrinking middle class in this country who are still working for someone who provides them with shrinking healthcare. (Its easy to poison the well when your urine’s toxic.)

    With luck, you can even shake up the rich, though they hire poor locals and imports to do the hazardous work and they can afford the private farms where organic produce is grown just for them.

    Already, 50+million of us are uninsured and at the mercy of every pathogen. (A poor woman has more chance of dying in childbirth in Washington DC than in Cuba.)

    Middle-class or poor, our diet is unhealthy and so are we because we’re too starved of information to realize that we’re starved of nutrients.

    • The USDA is not your friend. (They came up with bleaches to mask the stench of your hamburger meat.)
    • The FDA is not your friend. (They came up with all of the preservatives that you can’t digest.)
    • Big agra (Cargill, Monsanto and a few others,) is not your friend.
    • The food processor are not your friends.
    (Hell, people are paid to create crap like Cheeze Doodles™.)
    • Big pharma is not your friend. (They’ve been coming up with new and improved antacids to mask the effects of the previously listed criminals.)

    Islam’s Great Satan is committing sepuku before your very eyes.

  9. Glenn E. says:

    So now we know that the CIA can bump you off in your hospital bed, remotely, without using that heart attack drug that supposedly doesn’t exist. You can believe they’ll be adding this to their bag of spy tricks, if they haven’t already. No more poisoning dictators thru their milk shakes or wine coolers. Just mis-calibrate their meds monitors.

  10. deowll says:

    You do know somebody is going to do this to collect the insurance/inherit a bundle.

  11. ReadyKilowatt says:

    http://diabeteswellbeing.com/insulin-pump-price.html

    Check the price of an insulin pump on the link. What the hell are you paying for if they are so easily hacked?

  12. Animby says:

    # 2 bobbo, “mexican house cleaners where unplugging”

    To the best of my knowledge: Urban myth. I’m open to being proven wrong.

    How many ICU’s have carpeting? ICU is a messy environment. Carpets are hard to clean. And most life support machines have battery-operated alarms. Machine unplugged? Alarm still works. Nope. I think myth.

  13. Animby says:

    Thanks, Penguin.

  14. ray says:

    “I hear their next competition will be to see who can use a wifi nursery monitor to electrocute an infant.”

    Funny comment, but not a funny story. The state of cyber security in the US is so bad, it boggles the mind.

  15. dexton7 says:

    I think that maybe Jay Radcliffe needs to focus his diligent efforts on finding some friends in the medical field and discovering a CURE for diabetes. Much more productive and probably more appreciated.. Yep.

  16. xjonx says:

    My question is this, why would such a device need internet access? And if physical access to the device is required, why bother? There are plenty of easier, cheaper, quicker way to kill that rich uncle. Looks like pointless fear mongering by an individual that is looking for his 15 minutes.


0

Bad Behavior has blocked 13505 access attempts in the last 7 days.