Insecure medical devices can endanger the lives of their owners

Oct 28, 2011 18:31 GMT  ·  By

A famous security researcher proved that the embedded insulin pumps on which many diabetics rely can be accessed remotely and reprogrammed to inject a lethal dose.

According to Threat Post, Barnaby Jack, a security researcher at McAfee, demonstrated the proof of concept at the Hacker Halted conference that recently took place in Miami.

It's not the first time when someone uncovers the weaknesses that lie in such medical equipment, as not long ago, Jerome Radcliffe made a similar demonstration. At the time, Radcliffe remotely connected to the pump and changed the dosage and all he needed to do that was to possess the unique id of the device.

Barnaby managed to get even past that, proving that with the use of a modified antenna, an attacker can take control of the implantable insulin pump and deliver a fatal blow to its owner. He practically showed that by tuning in to the right frequency, anyone within 300 feet of the apparatus can cause serious damage.

In August, Anna G. Eshoo and Edward J. Markey, senior members on the House Energy and Commerce Committee, sent a letter to the Government Accountability Office (GAO) in which they asked them to examine the “challenges and risks posted by new medical devices and implants that make use of wireless technology to ensure that such wireless-enabled devices are safe, reliable, and secure, and do not cause harmful interference.”

Security experts clearly showed they're not as protected as they should be. Most of the wireless medical devices do not use any type of encryption to protect the wireless data transfers that take place between the device and the software that coordinates it.

Not long ago we saw a similar issue, when pacemakers were accessed to show that anyone with the proper know-how could endanger the lives of those who rely on them.