UPatras SB


ieeesb logo





embs logo



Earlier this month, Jerome Radcliffe stood onstage at the Black Hat Technical Security Conference in Las Vegas, hacked into the insulin pump that was affixed to his abdomen by a thin tube, and completely disabled it. Radcliffe is diabetic, and the pump is one component in an insulin-delivery system that monitors and stabilizes his glucose levels to keep him alive.

Although hacking an insulin pump requires the advanced technical know-how of a security expert and a proximity of no more than 30 meters, Radcliffe's demonstration has reopened a debate over whether medical-device manufacturers are taking the necessary steps to fend off attacks by hackers. "Security is an all-the-time thing, not a sometimes thing," he says. "If there's a vulnerability, it needs to be addressed."

Device companies tend to guard their command protocols as if they were secret recipes. People who want to break into a wireless system typically need to buy expensive tools that grab radio signals out of the air, which they can then analyze on a computer, reverse engineer, and play back as a fraudulent command. In 2008, Kevin Fu and other researchers at the Medical Device Security Center, in Amherst, Mass., used this technique to prove that they could hack into a cardiac defibrillator. Once in, the group was able to change the device's settings, tell it to deliver a shock, and disable it altogether.

Radcliffe's attack on his own device (the make and model of which he has kept secret) was impressive, in part because of its simplicity. The insulin pump that he wears can take commands from a human operator, but it also comes with a "dongle" that plugs into the USB port of a PC, a tool that allows patients to communicate with a radio component in the pump to personalize the settings and download medical data. This part of the package sells on eBay for around US $20, according to Radcliffe—no prescription necessary.

"What I found is that the only thing you need is the serial number of the device to be able to communicate with it," says Radcliffe. That serial number for his model is only six digits long, and Radcliffe wrote a computer program that was able to scan all potential combinations until it found the right one.

Although the presentation caught the attention of the crowd and the media, it demonstrated a problem that security researchers in government and academia have been working on for at least three years. A paper under review for the Journal of Diabetes Science and Technology summarizes the threats they have found so far. According to Nathanael Paul, a security researcher at Oak Ridge National Laboratory and an author of the study, most of the problems currently pose little risk but will need to be addressed as devices become more autonomous.

And they are becoming more autonomous by the day. Pacemakers, defibrillators, and insulin pumps can now communicate wirelessly with computers. Car companies are looking at ways to display glucose levels on dashboards. Very soon, insulin pumps will be fully integrated with glucose monitors, taking their commands from an implanted device rather than from a human being. Every advance enhances the user experience but introduces new security concerns.

Medical devices "have been becoming more and more complex to the point today where they involve a multitude of devices," says Paul. "It makes the overall system more complex. That's why we're starting to see a system that's increasingly hard to analyze both for safety and security."

Paul, who also wears an insulin-delivery system, has passed on his concerns and suggestions to the U.S. Food and Drug Administration (FDA), which regulates such devices. The first fixes, he says, would be to add encryption to wireless commands and to make sure that patients can update their software only from an authorized source.

Although Paul couldn't confirm any concrete action on the part of the FDA, medical-device companies have reported renewed pressure from the agency to address the security concerns. The FDA has "been receptive to all of our ideas," says Paul. "They've taken them to heart."

Radcliffe, on the other hand, contacted the company that manufactures his insulin pump directly and recommended that the system at least notify the user when a setting has changed. "I think that would be a pretty easy way to deter any stealth, malicious activity," he says.

Both Paul and Radcliffe continue to wear their devices, and Paul emphatically encourages other people with diabetes to do the same. "It's important to reassure insulin-pump wearers that these are issues that are being handled," he says. "If someone recommended that they wear this device today, then they should. The overall risk is quite low."



IEEE Spectrum