Lethal medical device hack taken to next level
- — 21 October, 2011 10:02
- ( 3 Comments )
Killing wirelessly: McAfee security researcher Barnaby Jack delivers a fatal dose of (fake) insulin (Stilgherrian / CSO Online)
The wireless hacking of a medical device, first demonstrated at the Black Hat 2011 conference in August, has been taken a step further. An insulin pump has been hacked and instructed to deliver a lethal dose without first knowing the device's ID number.
Insulin pumps are used to deliver a continuous low-level dose of the hormone insulin to diabetics. They provide better control over the patient's blood glucose levels than can be achieved through multiple daily injections.
Modern pumps are designed to communicate wirelessly with blood glucose measuring devices and the pump's configuration software.
The August hack by IBM cyber threat intelligence analyst Jay Radcliffe, a diabetic himself, required knowledge of the pump's six-digit ID, although that number could potentially be obtained by brute-force guessing or through social engineering.
However at the Focus 11 conference in Las Vegas today, McAfee research architect Barnaby Jack showed how the device ID could be obtained wirelessly — something that's easier than it should be because the wireless link has no encryption and no authentication.
"You're not meant to be able to grab serial numbers out of the air," Jack said. "This tool I developed should be able to scan the frequency for these pumps, retrieve the pump ID, and with that pump I can then dispense insulin, suspend the pump, resume it and that type of thing."
The transmission range is usually only a few feet, but Jack had constructed a high-gain antenna to boost the range.
Within seconds of activating his scanning software, Jack had obtained the target device's ID number and gained control.
"Three or four units [of insulin] would be a serious problem. Ten units would probably send me to hospital for sure. The whole reservoir, when it's full, holds 300 units, and that's between a three and a four day supply," said a diabetic introduced as Anthony, who is fitted with the same model pump.
Jack instructed the target pump to deliver its maximum dose of 25 units — fatal, if it had been insulin going into a real patient rather than blue food colouring onto a test bench.
"I think for the most part medical devices have been overlooked by security researchers, but they're used in critical applications," Jack said. "Compromise these devices [and] there's a very real-world effect."
Following the August hack, the manufacturer's response had been one of denial.
"The researcher was only able to hack his own pump using in-depth knowledge about the product. He also had access to specialised equipment," they wrote.
The "specialised equipment" was a standard USB wireless device, and the "in-depth knowledge" was the pump's ID. Everything else he had obtained by reverse-engineering the wireless data transmissions.
"We also consider it a very unlikely event, and we strongly believe it would be extremely difficult for a third party to wirelessly tamper with your insulin pump," the manufacturer wrote.
Today's demonstration clearly puts lie to that.
Stilgherrian is attending McAfee's Focus 11 security conference in Las Vegas as their guest.
Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian
Get exclusive access to CSO, invitation only events, reports & analysis. 
Comments
Don.Turnblade
The computer security risk life cycle for medical devices is trapped in a game of "Limited Liability Football".
Hospital says, "We cannot upgrade this device to better secure it on our own! It will void the Limited Liability."
Device Manufacture says, "We cannot upgrade our Device! We already proved its perfect to the FDA!"
FDA says, "I am not sure that an unforeseen Computer Risk constitutes a Medical Device complaint."
Yet, all these fears paralyze good sense.
Since manufacturer denial is part of the typical InfoSec Vulnerability discovery process. Nothing new is happening here. What is new is that the proof of concept has become graphically clear.
Rightly, the FDA should receive this risk as a Medical Device Defect Complaint. Then, the medical device maker can complete its grief process: Denial, Anger, Bargaining, Depression and then Acceptance.
Then, two years from now, these at risk population can get their successful vulnerability patch applied.
But, even if all goes well for the next two years, do not we owe these at risk patients more than just FDA approved lethal risks? Is that what medical innovation is truly intended to accomplish?
Ian
My wife is a diabetic who uses wireless insulin pumps. I had a discussion with some other people in the Infosec industry during DEFCON, where the idea was presented that this may be possible. The general consensus was that even if it were possible, nobody would ever be that malicious to do such a thing.
I guess "for the lulz" wasn't a good enough reason. I'm very worried about the manufacturer response.
When my wife was prescribed these pumps, I emailed the manufacturer and asked them what kind of wireless security was built into the units, and even offered to sign and NDA. Of course, they refused and told me not to worry about it. I will be emailing them again, and asking them if they are the unnamed manufacturer.
Stevelaudig
How would this not be murder meriting execution of the perpetrator?
Post new comment