Feeds

Insulin pump hack delivers fatal dosage over the air

Sugar Blues, James Bond style

Internet Security Threat Report 2014

In a hack fitting of a James Bond movie, a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them.

The attack on wireless insulin pumps made by medical devices giant Medtronic was demonstrated Tuesday at the Hacker Halted conference in Miami. It was delivered by McAfee's Barnaby Jack, the same researcher who last year showed how to take control of two widely used models of automatic teller machines so he could to cause them to spit out a steady stream of dollar bills.

Jack's latest hack works on most recent Medtronic insulin pumps, because they contain tiny radio transmitters that allow patients and doctors to adjust their functions. It builds on research presented earlier this year that allowed the wireless commandeering of the devices when an attacker was within a few feet of the patient, and knew the serial number of his pump. Software and a special antenna designed by Jack allows him to locate and seize control of any device within 300 feet, even when he doesn't know the serial number.

"With this device I created and the software I created, I could actually instruct the pump to perform all manner of commands," Jack told The Register. "I could make it dispense its entire reservoir of insulin, which is about 300 units. I just scan for any devices in the vicinity and they will respond with the serial number of the device."

Photo of an insulin pump made by Medtronic

An insulin pump made by Medtronic

It's not the first time a hacker has figured out how to wirelessly issue potentially lethal commands to a medical device implanted in a patient's body. In 2008, academic researchers demonstrated an attack that allowed them to intercept medical information from implantable cardiac devices and pacemakers and to cause them to turn off or issue life-threatening electrical shocks. The devices are used to treat chronic heart conditions.

In a statement, Medtronic officials said they are working to improve the security of the medical devices the company sells by evaluating encryption and other protections that can be added to their design. Representatives are also informing doctors and patients of the risks so they can make more informed decisions. Medtronic officials have also promised to set up an industry working group to establish a set of standard security practices.

"Because insulin pumps are widely used by patients with diabetes for tight blood sugar control and lifestyle flexibility, we are also working to assure both patients and doctors that at this time we believe that the risk is low and the benefits of the therapy outweigh the risk of an individual criminal attack," the statement read.

The pumps are used to treat patients with diabetes by infusing their bodies with insulin, which is secreted by the pancreas. When insulin levels are too low, people suffer from excessive blood sugar levels, a condition known as hyperglycemia. When insulin levels are too high, they suffer from hypoglycemia, a condition that can result in death if left unchecked.

The vulnerable Medtronic devices wirelessly send and receive data over the 900 MHz frequency, and Jack said it's impossible to disable this functionality. He wrote software that works with Medtronic-supplied USB devices that allow doctors and patients to wirelessly monitor the devices from a computer. Combined with custom-built antenna, his system scans a 300-foot radius for compatible devices.

Remote control for virtualized desktops

Next page: Insecure by design

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?