Barnaby Jack, famous for getting ATMs to disgorge an avalanche of cash on stage at the Black Hat Briefings, says he has developed an attack that could be used to deliver a lethal dose of insulin to diabetics using the embedded pumps.
Jack, a security researcher at McAfee, demonstrated the hack at the Hacker Halted security conference in Miami on Tuesday. In it, he used a modified antenna and software to wirelessly attack and take control of implantable insulin pumps from the firm Medtronic. Jack demonstrated how such a pump could be commanded to release a fatal dose of insulin to a diabetic who relied on the pump.
The presentation builds on a similar hack, demonstrated at this year’s DEFCON hacking conference in which researcher Jerome Radcliffe — diagnosed with Diabetes 11 years ago — demonstrated how he could tweak the dosage levels on his pump remotely. Radcliffe’s hack required the attacker to know the unique numeric device number of the implantable pump she was attacking. Barnaby’s hack improves on that method, allowing an attacker to compromise any vulnerable device within 300 feet even without knowing its unique device ID.
The August hack at DEFCON prompted a response from federal lawmakers. Two senior members of the House Energy & Commerce Committee called for the Government Accountability Office (GAO) to perform a formal review of wireless medical devices like the pump to determine whether devices that are on the market are “safe, reliable and secure. “
Alas, the consensus among security researchers is that they are not. Jack points out that the Medtronic devices do not use encryption to protect wireless communications between the implanted device and the management software. That means that anyone listening on the proper frequency can intercept those communications and even manipulate the device remotely: tweaking the amount of insulin delivered by the pump, disabling it or restarting it.
In an exclusive interview with Threatpost in August, Kevin Fu, an Associate Professor of Computer Science at the University of Massachusetts, said that software vulnerabilities, including those that may be remotely exploitable, are increasingly common as implanted medical devices use wireless technology for management and diagnostic purposes. Along with Prof. Dina Katabi of MIT, Fu is looking into methods for jamming implantable medical devices (IMDs) to prevent them from being wirelessly tampered with.
Jack is a well respected security researcher with a flair for the dramatic. He famously induced an automated teller machine to spit out a cascade of cash at the Black Hat Briefings in 2010 to demonstrate weaknesses in the software that secures cash machines.
In the case of the insulin pump, however, the potential downside is not economic, but existential.
Medtronic, which manufactures the pump attacked by Jack, said at the time of the BlackHat presentation that it takes the security of its devices seriously and will develop more security features as “technology evolves.” However, the company, maintains that the risk of deliberate or malicious manipulation of insulin pumps is extremely low. “To our knowledge, there has never been a single reported incident of a deliberate attack on an insulin pump user in more than 25 years of insulin pump use,” the company said.
Home page image via cogdogblog‘s Flickr photostream.