Threat analyst says medical devices can be hacked remotely
LAS VEGAS — A computer threat analyst on Saturday will show a gathering of hackers how easy it is to wirelessly take control of an insulin pump on which a diabetic’s life could hinge.
Jerome “Jay” Radcliffe’s demonstration at DefCon in Las Vegas will spotlight a critical need to build software defense into pace makers, insulin pumps and other medical gadgets getting “smarter” with computer chips.
“If you look at the history of hacking medical devices, worms and viruses are running rampant,” said ‘informatics nurse’ and hacker Brad Smith, who specializes in medical software.
The list of medical gadgets vulnerable to being hacked wirelessly includes pace makers, intravenous pumps, and blood pressure cuffs, according to Smith.
Radcliffe was diagnosed with diabetes about 11 years ago, when he was 22, and recently employed his software skills to find out whether an insulin pump trusted to keep his blood sugar levels safe could be hacked.
He found he could remotely toy with dosage levels or turn it off.
“It turns out that with this model there is no security,” Radcliffe said. “All you need is a serial number to talk to it.”
He said that prices of insulin pumps, which cost in the thousands of dollars, precluded him from expanding his research to determine how widespread the vulnerability is.
Radcliffe didn’t disclose his insulin pump model nor did he outline critical details of the hack to allow time for the maker to address the situation and to avoid tempting DefCon attendees known for software mischief.
“We are not talking about $200 dollars on someone’s credit card,” Radcliffe said in a reference to hacks for profit. “We are talking about somebody’s life.”
Medical devices built with wireless connectivity can face the kinds of cyber attacks launched on smartphones, tablets, or laptop computers with similar capabilities, according to Smith.
“We have talked about this in the medical community forever,” Smith said. “We have swept it under the carpet.”
Radcliffe was wearing his insulin pump at DefCon on Friday and urged diabetics not to panic.
“I’m target Number One right here in the middle of all these hackers, and I have my pump on,” he told AFP. “I hope that tells people how worried they should be.”
He has shared his findings with the pump maker and been approached by a rival company that boasted of building in strong software defenses.
Copyright © 2011 AFP. All rights reserved.