Lethal medical device hack taken to next level

Attacker sniffs insulin pump ID, delivers fatal dose

Killing wirelessly: McAfee security researcher Barnaby Jack delivers a fatal dose of (fake) insulin (Stilgherrian / CSO Online)

Killing wirelessly: McAfee security researcher Barnaby Jack delivers a fatal dose of (fake) insulin (Stilgherrian / CSO Online)

The wireless hacking of a medical device, first demonstrated at the Black Hat 2011 conference in August, has been taken a step further. An insulin pump has been hacked and instructed to deliver a lethal dose without first knowing the device's ID number.

Insulin pumps are used to deliver a continuous low-level dose of the hormone insulin to diabetics. They provide better control over the patient's blood glucose levels than can be achieved through multiple daily injections.

Modern pumps are designed to communicate wirelessly with blood glucose measuring devices and the pump's configuration software.

The August hack by IBM cyber threat intelligence analyst Jay Radcliffe, a diabetic himself, required knowledge of the pump's six-digit ID, although that number could potentially be obtained by brute-force guessing or through social engineering.

However at the Focus 11 conference in Las Vegas today, McAfee research architect Barnaby Jack showed how the device ID could be obtained wirelessly — something that's easier than it should be because the wireless link has no encryption and no authentication.

"You're not meant to be able to grab serial numbers out of the air," Jack said. "This tool I developed should be able to scan the frequency for these pumps, retrieve the pump ID, and with that pump I can then dispense insulin, suspend the pump, resume it and that type of thing."

The transmission range is usually only a few feet, but Jack had constructed a high-gain antenna to boost the range.

Within seconds of activating his scanning software, Jack had obtained the target device's ID number and gained control.

"Three or four units [of insulin] would be a serious problem. Ten units would probably send me to hospital for sure. The whole reservoir, when it's full, holds 300 units, and that's between a three and a four day supply," said a diabetic introduced as Anthony, who is fitted with the same model pump.

Jack instructed the target pump to deliver its maximum dose of 25 units — fatal, if it had been insulin going into a real patient rather than blue food colouring onto a test bench.

"I think for the most part medical devices have been overlooked by security researchers, but they're used in critical applications," Jack said. "Compromise these devices [and] there's a very real-world effect."

Following the August hack, the manufacturer's response had been one of denial.

"The researcher was only able to hack his own pump using in-depth knowledge about the product. He also had access to specialised equipment," they wrote.

The "specialised equipment" was a standard USB wireless device, and the "in-depth knowledge" was the pump's ID. Everything else he had obtained by reverse-engineering the wireless data transmissions.

"We also consider it a very unlikely event, and we strongly believe it would be extremely difficult for a third party to wirelessly tamper with your insulin pump," the manufacturer wrote.

Today's demonstration clearly puts lie to that.

Stilgherrian is attending McAfee's Focus 11 security conference in Las Vegas as their guest.

Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian

Tags softwareinsulin pumpJay Radcliffe

Show Comments