Last year, Jerome Radcliffe caught Medtronic off guard when he hacked into his own insulin pump. No one had attempted such a thing before, at least not successfully.
This year, it has happened again. Bloomberg News reports that another person has proved he can hack into an insulin pump and command it to deliver a lethal dose. To prove it, Barnaby Jack–a security researcher with McAfee–hacked into an insulin pump he had placed in a see-through mannequin. Wirelessly, his software stole the pump’s security credentials and had it empty all its contents into the fake pancreas inside the mannequin.
What is even more scary about Jack’s feat is that it goes beyond Radcliffe’s attempts to display how vulnerable these machines truly are. As Bloomberg notes:
He has discovered a way to scan a public space from up to 300 feet away, find vulnerable pumps made by Minneapolis-based Medtronic Inc., and force them to dispense fatal insulin doses. Jack doesn’t need to be close to the victim or do any kind of extra surveillance to acquire the serial number, as Radcliffe did.
Jack’s findings were presented at the RSA Security Conference Wednesday in San Francisco by McAfee’s chief technology officer Stuart McClure. Here are some of the tweets following the demo of the live hacking.
Medtronic spokesman Steve Cragle said that the company appreciates the security community bringing new information on the possibility of manipulating insulin pumps. He said the company is partnering with the security, healthcare and diabetes communities to protect patients from the risk of tampering.
He said that the company has taken these steps to improve security:
- Conducted an internal vulnerability assessment;
- Hired independent security experts Symantec, Argonne National Laboratory and WurldTech Security Technologies to help with product security improvements
- Consulted with the Department of Homeland Security’s Cyber Emergency Response Team