Answer: For at least one brand of wireless insulin pump it is theoretically possible. You may now quiver in fear.
Researcher Jay Radcliffe delivered a talk at the “Black Hat” electronic security conference this week. Radcliffe is a diabetic with an implanted blood glucose monitor. These communicate wirelessly with a matching insulin pump outside the body, an advancement in science that means diabetics can constantly be aware of their blood sugar levels without breaking the skin to test until the monitor needs to be replaced; the batteries last around 2 years. The insulin pump monitors blood sugar levels and, when instructed to do so, pumps a gradual insulin flow into the bloodstream to keep a diabetic stable in a finer and more controlled manner than the sudden shock of injections. This wireless monitor and pump technology has been in use since around 2003 and has become quite well established.
After being fitted with the system, Radcliffe began to wonder how secure it was. It turns out that to a large extent, the system implanted in Radcliffe, (He didn’t have others to test, and for safety reasons did not disclose the brand of his unit.), relies on “security by obscurity”, the hope that the device is too out of the way and unimportant for anyone to bother. Of course, proper security software would be more expensive to create, might require more expensive hardware and would probably drain the battery faster, requiring a better battery to avoid more frequent surgical replacement. The soft security is not just a matter of laziness. Unfortunately, it could now be a matter of life or death.
Radcliffe claims that he could shut the monitor down with a denial of service attack or copying transmissions to his monitor from a time when his blood sugar was high and retransmitting them when his blood sugar is lower, tricking the wearer into overdosing or underdosing themselves due to fake blood sugar readings. Sources appear to be contradictory as to whether Radcliffe claimed the pump could be controlled directly without the wearer pushing a button to activate the insulin flow, and the transcript of his talk is not yet available.
In case you’re thinking “I’m not a diabetic, this can’t happen to me”, researchers have previously been able to wirelessly hack into modern pacemakers and wireless medical devices in general are a booming area of medical science both due to their ability to provide feedback, like the monitor, and to be adjusted without the need for surgery, like pacemaker voltages. Unless wireless security becomes a focus for medical device developers, in a few years we might be staring down stories ranging from “Mass implant hacking incident leaves RNC stiff and sore” to “Securing your e-Diva Cup”.
There is some good news, however. A team at MIT and the University of Massachusetts-Amherst have reportedly invented a wearable “shield” which attempts to jam attacks on wireless devices, including medical devices, and alerts the wearer that such an attack has been detected. The device is to debut at another security conference later this month.
Nods to Engadget and VentureBeat for making me aware of the story.
(photo)
