If there’s one thing that can be learned from attending the annual Black Hat security conference, it’s that hackers will try to hack anything with a computer chip in it – even if that means themselves.
Thirty-three year-old hacker Jay Radcliffe found that by reprogramming his insulin pump, he could control the device remotely. He released his findings Thursday at Black Hat. The hack highlights vulnerabilities that come from the medical industry’s move toward more networked devices. Millions of patients use implantable medical devices (IMD) that would be susceptible to hacks – gastric stimulators, foot drop implants, cochlear implants, and deep brain neurotransmitters, to name a few.
Radcliffe’s insulin pump uses a remote control to administer insulin. Using a USB device purchased from eBay, Radcliffe was able to track data transmitted from the computer and control the pump’s operations. Radcliff, whose Black Hat bio lists him as a senior threat intelligence analyst for a major computer company, also found that by intercepting wireless signals sent between the sensor device and the display device on his blood sugar monitors, he could cause them to display inaccurate readings.
Scientists in the past have warned about the vulnerabilities of certain personal medical equipment. A research paper published in 2008 by the Medical Device Security Center said that communication over radio frequencies made pacemakers and defibrillators susceptible to outside attacks. Results of experimental attacks resulted in both breach of private patient information contained on the devices and control over device operation. The researchers declined to comment on the potential impacts of an attack on the patient.
For patients who rely on these devices to stay alive, impaired function could cause serious complications or even death. In the April 2010 edition of the New England Journal of Medicine, Dr. William Maisel, an assistant professor at Harvard Medical School, said motivation for hackers could be harvesting private information for financial gain or competitive advantage, sabotage of a manufacturer’s reputation, a terrorist looking to attack a specific person, or “simply the satisfaction of the attacker's ego.”
So how can these devices be protected? Well, encryption is out of the question, for now. “The devices are typically too small to house processors powerful enough to perform advanced encryption to scramble their communications,” the Associated Press reported Thursday. So, instead, researchers have shifted their focus to blocking unwanted interference.
A team at MIT and the University of Massachusetts-Amherst published a paper on a wearable device that could protect patients against unauthorized communication with their medical devices.The paper, titled “They Can Hear Your Heartbeats: Non-Invasive Security for Implantable Medical Devices,” says a device they call “the shield,” jams any incoming signals to the medical device. The shield doesn’t require any modification to equipment the patient already has, and it’s small enough that it can be easily removed for medical procedures.
“Without the shield, an adversary transmitting at 100 times the shield’s power can change the IMD’s therapy parameters even from non-line-of-sight locations up to 27 meters away. With the shield, the adversary is successful only from line-of-sight locations less than five meters away, and the shield raises an alarm,” the report states. The built-in alarm beeps or vibrates to alert a patient or caregiver of an incoming attack.
They will present the device at the Association for Computing Machinery’s conference this month.
photo by stev.ie from flickr