backtop


Print 13 comment(s) - last by NellyFromMA.. on Aug 8 at 2:21 PM


  (Source: emftesting.net)
An attacker could intercept wireless signals with a powerful antenna and "broadcast a stronger signal," which would cause blood-sugar levels on the monitor to change

Wireless medical devices such as pacemakers, insulin pumps and defibrillators have made life not only possible for those who use them, but convenient as well since there are no cords to mess around with. On the other hand, there are dangers associated with using such equipment: hackers.

Hackers are commonly associated with computer systems, where websites are broken into and private information is sometimes stolen. In 2011 alone, cyber criminals have attacked and stolen information from Sony, the Pentagon, Bank of America and many more. But in this particular case, hackers could move from traditional mediums to the hacking of wireless medical devices.

Jerome Radcliffe, a security researcher, is a diabetic who uses an insulin pump and a glucose monitor at all times to control his blood sugar. He has become increasingly interested in the security of the medical device that is saving his life, and set out to see if proprietary wireless communication could be reverse-engineered while a device launches an attack that could manipulate a diabetic's insulin, potentially leading to death.

Computer scientists have already proved that pacemakers and defibrillators can be hacked wirelessly through the use of radio hardware, an antenna and a PC. This research was published in a 2008 paper, which described how an attacker could send a lethal shock to an implantable cardiac defibrillator. 

Now, Radcliffe has found that a lethal attack is possible against those with insulin pumps/glucose monitors as well. According to Radcliffe's research, an attacker could intercept wireless signals with a powerful antenna and "broadcast a stronger signal," which would cause blood-sugar levels on the monitor to change. This causes the person wearing the pump to adjust the insulin dosage, and constant adjustment (when it is unnecessary) could cause a severe "high" or severe "low" in the diabetic's blood sugar, possibly leading to death.

Radcliffe added that an attacker could accomplish this within a couple hundred feet of a victim, but with a stronger antenna, it can be done up to a half-mile away.

"My initial reaction was that this is really cool from a technical perspective," said Radcliffe. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."

One has to wonder what would cause a person to want to hack a wireless medical device and put a person's life at risk. Dr. William Maisel, an assistant professor at Harvard Medical School, offered some perspective on the matter. 

"Motivation for such actions might include the acquisition of private information for financial gain or competitive advantage; damage to a device manufacturer's reputation; sabotage by a disgruntled employee, dissatisfied customer or terrorist to inflict financial or personal injury; or simply the satisfaction of the attacker's ego," said Maisel.

Radcliffe is sharing his research in a presentation called, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System" at the Black Hat security conference.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

stupid
By insul1n on 8/5/2011 12:07:04 PM , Rating: 2
I wear an insulin pump and find this article misleading. The manufacturer of the insulin pump and doctors both tell you to never rely on the constant glucose monitor to know when to give yourself insulin. You are always suppose to confirm your blood sugar with a traditional finger stick. Glucose levels the pump gives you are suppose to be for trending data and not insulin delivery/adjustment. So there is really no health threat here. Should the problem be fix, of course, but your health is not at risk because of this.




RE: stupid
By JasonMick (blog) on 8/5/2011 12:14:12 PM , Rating: 2
quote:
I wear an insulin pump and find this article misleading. The manufacturer of the insulin pump and doctors both tell you to never rely on the constant glucose monitor to know when to give yourself insulin. You are always suppose to confirm your blood sugar with a traditional finger stick.

Sure, and you're not supposed to consume more than 3 Monster energy drinks a day and you're not supposed to play Xbox for more than an hour without an exercise break, but how many people ignore these warnings?

I think the point is that this may be dangerous to people who don't practice careful monitoring, instead overly relying on the device for "quick and dirty" measurement. I'd be willing to wager a fair number of diabetics, for better or worse, fall into that category.

Of course the chance that someone actually uses this hack against a diabetic in the real world seems slim, given the technical expertise needed.


RE: stupid
By Phynaz on 8/5/2011 12:57:13 PM , Rating: 2
Quit talking out your ass.

Anybody that drops $1K for a device that costs $300 a month to run is practicing careful monitoring. That's the point.


RE: stupid
By omnicronx on 8/5/2011 1:44:02 PM , Rating: 2
What about people who pay little to nothing for these devices as they are often covered under insurance plans and even government grants? (especially outside the US).

That said, I don't think Jason is giving enough credit to those that would require or use an insulin pump. A large portion insulin pump usage is by those not having success with daily injections. These are the exact kind of people who would be very careful monitoring their levels.

Still a bit disconcerting though..


RE: stupid
By ClownPuncher on 8/5/2011 1:41:09 PM , Rating: 2
Seriously, if you're diabetic you start to feel like trash if your blood sugar is off. You're motivated to self monitor as well.


RE: stupid
By omnicronx on 8/5/2011 1:49:20 PM , Rating: 2
When the average person starts to get hungry, he/she is motivated to eat, and under normal circumstances will probably do so. But that does not imply that he/she will do so 100% of the time.

I think the issue at hand is a bit exaggerated (for the reasons mentioned in my post above), but I'm sure many diabetics will attest to being lazy once in a while.


RE: stupid
By cruisin3style on 8/6/2011 3:34:27 PM , Rating: 2
quote:
you're not supposed to play Xbox for more than an hour without an exercise break


lol is it really one hour? I don't think i've ever not played xbox for more than an hour


RE: stupid
By parttimeidiot on 8/5/2011 4:37:20 PM , Rating: 2
The good new for all us insulin pump and cgm users is that Jerome Radcliffe actually failed. His quote from Black Hat -

After investing months of spare time and an immense amount of caffeine, I have not accomplished my mission. The journey, however, has been an immeasurable learning experience - from propriety protocols to hardware interfacing-and I will focus on the ups and downs of this project, including the technical issues, the lessons learned, and information discovered, in this presentation "Breaking the Human SCADA System."

Also CGMs may be getting better but they are not accurate enough YET to be a sensible source of information when adjusting any pump delivery.


RE: stupid
By ranran on 8/5/2011 10:16:28 PM , Rating: 2
As things stand now, you're right. There really aren't any true CGM's (continuous glucose monitoring systems)in use right now.

However, CGM's are eventually....eventually....going to be the technology to use. Medtronic just had a system approved in Europe, and is vying hard for FDA approval as well, though that will take a while longer. Other companies are coming along as well...

Initially, these systems will be useful to prevent hypoglycemic episodes (e.g. at night) by shutting off insulin, but they will eventually be allowed to administer insulin as well.

Given the wireless nature (pump at one site, monitor at another communicating wirelessly), I think this is a very very big deal and should be considered as they develop wireless security for these communications.


Not 100% correct
By Phynaz on 8/5/2011 12:12:15 PM , Rating: 2
quote:
This causes the person wearing the pump to adjust the insulin dosage, and constant adjustment (when it is unnecessary) could cause a severe "high" or severe "low" in the diabetic's blood sugar, possibly leading to death.


Actually a diabetic would react to this by doing a traditional finger stick to get a more accurate and current blood glucose reading.

On the other hand, this is scary for those with insulin pumps with wireless controls, if an insulin bolus could be delivered. Especially an extended bolus.




An old Law & Order case, updated
By UNHchabo on 8/5/2011 8:16:05 PM , Rating: 2
In the third season of Law & Order (from 1993), there's an episode where a hacker breaks into the computer system of a health clinic that specializes in extreme cases of diabetes, and changes the blood sugar readings so that the staff give the patients too much insulin.

Check out the episode (the title is "Virus"); it's pretty funny in a "Hackers" kind of way. My favorite line:
"Down at the precinct all of our computers can talk to each other. Do you guys have that kind of setup here?"




Overdose
By radium69 on 8/6/2011 6:23:13 AM , Rating: 2
Allthough you might need to check every time or so.
There is still a delay when insuline is active and breaking down the sugar. It is dangerous and lethal aswell. Especially when they give an overdose of 3ml (300 units)

I use manual injection though.
I once chose the wrong insuline and gave myself an overdosis (stupid doh) felt really really bad, drank 2 mugs of pure syrup (awfull) and dextro and all that.
I don't even want to imagine the full 300 units inside your body.

It probably will send you in a coma... Dangerous stuff.




Wow
By NellyFromMA on 8/8/2011 2:21:05 PM , Rating: 2
"My initial reaction was that this is really cool from a technical perspective," said Radcliffe. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."

Wow, what a prick.




"I f***ing cannot play Halo 2 multiplayer. I cannot do it." -- Bungie Technical Lead Chris Butcher














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki