Lethal medical device hack taken to next level

Eugen Leitl eugen at leitl.org
Wed Oct 26 07:18:57 PDT 2011


(not a problem today; potentially one in future)

http://www.cso.com.au/article/404909/lethal_medical_device_hack_taken_next_level/

Lethal medical device hack taken to next level

Attacker sniffs insulin pump ID, delivers fatal dose

    Stilgherrian (CSO Online (Australia)) b 21 October, 2011 10:02 Killing
wirelessly: McAfee security researcher Barnaby Jack delivers a fatal dose of
(fake) insulin (Stilgherrian / CSO Online)

The wireless hacking of a medical device, first demonstrated at the Black Hat
2011 conference in August, has been taken a step further. An insulin pump has
been hacked and instructed to deliver a lethal dose without first knowing the
device's ID number.

Insulin pumps are used to deliver a continuous low-level dose of the hormone
insulin to diabetics. They provide better control over the patient's blood
glucose levels than can be achieved through multiple daily injections.

Modern pumps are designed to communicate wirelessly with blood glucose
measuring devices and the pump's configuration software.

The August hack by IBM cyber threat intelligence analyst Jay Radcliffe, a
diabetic himself, required knowledge of the pump's six-digit ID, although
that number could potentially be obtained by brute-force guessing or through
social engineering.

However at the Focus 11 conference in Las Vegas today, McAfee research
architect Barnaby Jack showed how the device ID could be obtained wirelessly
b something that's easier than it should be because the wireless link has no
encryption and no authentication.

"You're not meant to be able to grab serial numbers out of the air," Jack
said. "This tool I developed should be able to scan the frequency for these
pumps, retrieve the pump ID, and with that pump I can then dispense insulin,
suspend the pump, resume it and that type of thing."

The transmission range is usually only a few feet, but Jack had constructed a
high-gain antenna to boost the range.

Within seconds of activating his scanning software, Jack had obtained the
target device's ID number and gained control.

"Three or four units [of insulin] would be a serious problem. Ten units would
probably send me to hospital for sure. The whole reservoir, when it's full,
holds 300 units, and that's between a three and a four day supply," said a
diabetic introduced as Anthony, who is fitted with the same model pump.

Jack instructed the target pump to deliver its maximum dose of 25 units b
fatal, if it had been insulin going into a real patient rather than blue food
colouring onto a test bench.

"I think for the most part medical devices have been overlooked by security
researchers, but they're used in critical applications," Jack said.
"Compromise these devices [and] there's a very real-world effect."

Following the August hack, the manufacturer's response had been one of
denial.

"The researcher was only able to hack his own pump using in-depth knowledge
about the product. He also had access to specialised equipment," they wrote.

The "specialised equipment" was a standard USB wireless device, and the
"in-depth knowledge" was the pump's ID. Everything else he had obtained by
reverse-engineering the wireless data transmissions.

"We also consider it a very unlikely event, and we strongly believe it would
be extremely difficult for a third party to wirelessly tamper with your
insulin pump," the manufacturer wrote.

Today's demonstration clearly puts lie to that.

Stilgherrian is attending McAfee's Focus 11 security conference in Las Vegas
as their guest.

Contact Stilgherrian at Stil at stilgherrian.com or follow him on Twitter at
@stilgherrian





More information about the cypherpunks-legacy mailing list