Lethal medical device hack taken to next level

Attacker sniffs insulin pump ID, delivers fatal dose

Killing wirelessly: McAfee security researcher Barnaby Jack delivers a fatal dose of (fake) insulin (Stilgherrian / CSO Online)

Killing wirelessly: McAfee security researcher Barnaby Jack delivers a fatal dose of (fake) insulin (Stilgherrian / CSO Online)

The wireless hacking of a medical device, first demonstrated at the Black Hat 2011 conference in August, has been taken a step further. An insulin pump has been hacked and instructed to deliver a lethal dose without first knowing the device's ID number.

Insulin pumps are used to deliver a continuous low-level dose of the hormone insulin to diabetics. They provide better control over the patient's blood glucose levels than can be achieved through multiple daily injections.

Modern pumps are designed to communicate wirelessly with blood glucose measuring devices and the pump's configuration software.

The August hack by IBM cyber threat intelligence analyst Jay Radcliffe, a diabetic himself, required knowledge of the pump's six-digit ID, although that number could potentially be obtained by brute-force guessing or through social engineering.

However at the Focus 11 conference in Las Vegas today, McAfee research architect Barnaby Jack showed how the device ID could be obtained wirelessly — something that's easier than it should be because the wireless link has no encryption and no authentication.

"You're not meant to be able to grab serial numbers out of the air," Jack said. "This tool I developed should be able to scan the frequency for these pumps, retrieve the pump ID, and with that pump I can then dispense insulin, suspend the pump, resume it and that type of thing."

The transmission range is usually only a few feet, but Jack had constructed a high-gain antenna to boost the range.

Within seconds of activating his scanning software, Jack had obtained the target device's ID number and gained control.

"Three or four units [of insulin] would be a serious problem. Ten units would probably send me to hospital for sure. The whole reservoir, when it's full, holds 300 units, and that's between a three and a four day supply," said a diabetic introduced as Anthony, who is fitted with the same model pump.

Jack instructed the target pump to deliver its maximum dose of 25 units — fatal, if it had been insulin going into a real patient rather than blue food colouring onto a test bench.

"I think for the most part medical devices have been overlooked by security researchers, but they're used in critical applications," Jack said. "Compromise these devices [and] there's a very real-world effect."

Following the August hack, the manufacturer's response had been one of denial.

"The researcher was only able to hack his own pump using in-depth knowledge about the product. He also had access to specialised equipment," they wrote.

The "specialised equipment" was a standard USB wireless device, and the "in-depth knowledge" was the pump's ID. Everything else he had obtained by reverse-engineering the wireless data transmissions.

"We also consider it a very unlikely event, and we strongly believe it would be extremely difficult for a third party to wirelessly tamper with your insulin pump," the manufacturer wrote.

Today's demonstration clearly puts lie to that.

Stilgherrian is attending McAfee's Focus 11 security conference in Las Vegas as their guest.

Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian

Join the CSO newsletter!

Error: Please check your email address.

Tags insulin pumpJay Radcliffesecuritysoftware

More about IBM AustraliaIBM AustraliaMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place