The Unthinkable Hack: Using Insulin Pumps as a Murder WeaponPosted: August 8, 2011
We’ve all heard of, read about and some even experienced firsthand the damage that can be done by hackers. We have seen everything from security breaches from multi-million dollar corporations (e.g. Sony, Best Buy, etc.) to unlocking car doors via text message. This is the ever going battle between Good IT vs. Evil IT, as technology advances so do the hackers. The safest assumption for anyone regarding technology is, “If it can be hacked, it will be hacked.”
Jerome Radcliffe, a security researcher, detailed at the Black Hat security Conference how utilization of SCADA insulin pumps, pacemakers and implanted defibrillators contains the possibility of untraceable, lethal attacks from a half a mile away.
Radcliffe, who also happens to be a diabetic with a wireless, always connected insulin pump, became concerned by the possibility that someone could hack his pump, change the settings and kill him – while the idea that someone will want to remotely kill you by hacking your insulin pump is a bit far-fetched and even paranoid – what he uncovered was very scary indeed. Radcliffe spent that last 2 years attempting to hack his insulin pump and unfortunately was successful.
Radcliffe was able to intercept the wireless signals, reverse them, inject some fake data and send it back to the pump. He found that he was able to increase the amount of insulin injected by the pump, or reduce it. To make matters even worse, the pump never showed any signs of tampering, nor did it generate any type of warning.
The problem with wireless medical devices is that they are not designed with security in mind. The companies that produce these devices work under the assumption that no one would attempt to hack a wireless life sustaining device, so these devices tend to be relatively unsecure. Some SCADA systems use encryption, but encryption entails complexity, power consumption and increased cost for the manufacturer. The decision the companies then face is between producing a product with low cost and quickness, or security. It appears these companies, up until now at least, and has opted for the former. However, with this new discover by Radcliffe, I would expect to see companies rapidly moving towards the latter option.
Although, at this time there is no reason to panic as this is simply a discovery and could not be achieved more than 1 foot from the device, at least not yet. However, a foot away can turn into a half mile away in a very short amount of time. It’s a very unsettling thought that in the near future someone could park outside your home or the hospital and commit a crime with wireless, untraceable impunity.
The only solution to combat this new discovery is to step up security. A great place to start is for companies to produce proprietary hardware and use encryption. Ultimately the companies that produce these devices will have to change their assumption that no one would attempt to hack a medical device and build these devices with the assumption that hackers will eventually break in. In a perfect world this would not be an issue; however, we don’t live in that world. We live in a world where human depravity is displayed every day and this is just one more piece of evidence that proves it.