Insulin pumps susceptible to remote hack attacks

Insulin pumps with a remote control option could be vulnerable to hackers, a security researcher announced at last week's Black Hat computer security conference in Las Vegas.

A diabetic himself, researcher Jay Radcliffe experimented on his own insulin pump and was able to reprogram it to respond to another remote control, according to a news report by the Associated Press. A hacker then could instruct the device to deliver too much or too little insulin.

The specific danger is largely theoretical however, writes IT expert (and insulin pump user) Scott Hanselman in his blog. While Radcliffe did intercept signals from the pump, which indicates a risk, he wasn't able to decipher the data, and could not directly hack the pump itself, Hanselman says.

He did hack the pump's remote control, but he had to have the serial numbers from the device itself to actually reprogram it and turn it on or off, Hanselman points out.

This is like saying "I can open your garage door with a [third] party garage door opener. Just give me the numbers off the side of your unit...," he writes.

Other industry experts point out that the potential for medical device hacks is nothing new. In 2008, University of Washington researcher Yoshi Kohno demonstrated that he could take control of a patient's pacemaker and/or defibrillator and deliver deadly shocks to its user.

Radcliffe's response: He says he's not trying to panic pump users, but to encourage manufacturers to explore encryption and other security protections for wireless medical devices, particularly those with remote control options.

Kohno tells the AP that Radcliffe's new research reinforces the urgency of addressing security issues in medical devices before attacks move out of research labs.

"The threat hasn't manifested yet, so what they and we are trying to do is see what the risk could be in the future," said Kohno, did not participate in Radcliffe's research.

Hanselman recommends that diabetics or physicians concerned about potential hacking turn off the remote control function on their insulin pumps and contact the device manufacturer about security concerns.

Manufacturers themselves downplayed the overall risk, as well. "The risk to a patient with diabetes of having their monitors hacked is extraordinarily small, and there's a greater health risk of not monitoring than...being hacked," Wanda Moebius, vice president at the Advanced Medical Technology Association, told the AP.

To learn more:
- read the Associated Press story at Yahoo News
- check out the VentureBeat story
- read Scott Hanselman's commentary