Cyber-attacks are no longer limited to just computers. At Black Hat, a security researcher discussed how an attacker with a powerful antenna could launch a wireless attack to remotely control an insulin pump and kill the victim for up to half a mile away.
Security researcher Jay Radcliffe set out to find out if proprietary wireless communications could be reverse engineered to manipulate a diabetic’s insulin pump and potentially kill the patient. Radcliffe had a very compelling reason to do this research: he is a diabetic.
“I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor,” said Radcliffe. He said that the devices turned him into a supervisory control and data acquisition (SCADA) system.
During his Aug. 4 “Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System” session, Radcliffe discussed how an attacker could intercept wireless signals emitted by medical devices and broadcast a stronger signal to interfere with regular operation. The malicious commands can change the blood-sugar level readout on an insulin pump to misinform the patient of the blood sugar levels or just disable the device. If done repeatedly, the attacker could kill a person because of improper insulin dosages, Radclifee suggested.
“It’s basically like having root on the device, which is like having root on the chemistry of your body,” said Radcliffe.
Wireless devices, even medical ones like pacemakers, defibrillators and insulin pumps, are susceptible to eavesdropping. Radcliffe’s pump uses a remote control to administer insulin. The attacker just needs the target device’s serial number so that it will respond to commands from the stranger’s remote control. With a USB device that was readily available from eBay or medical supply companies, he was able to see what kind of information was being transmitted by the device, and could come up with commands to send to the pump.
Radcliffe suggested scenarios where an attacker could launch attacks from a few feet away, such as on the same airplane or on the same hospital floor, or even as far as a half mile away.
Radcliffe did not mention the vendor of the pump he experimented on because it wasn’t “relevant” and he didn’t want “any bad guy or evil hacker” to start working on exploit code right away. He said, half-jokingly, that attackers would be able to kill him if he revealed too much information.
“It would only take one person to do this to kill someone and then you have a catastrophe,” he said.