Fact or fiction? Hacker hit men can remotely murder through programmable insulin pumps
Original image courtesy of Flickr user kirinqueen.
This week, serious hackers are gathering in Las Vegas to attend Def Con 19, which follows closely on the heels of the Black Hat Technical Security Training and Briefings
A health tech-related demonstration with chilling implications that could have leapt right off the pages of a medical mystery thriller took place yesterday at the Black Hat event.
Imagine the following scenario: a Type I diabetic dies suddenly from an insulin overdose. Authorities assume that the pump was improperly programmed by the user, or that it malfunctioned. As the plot thickens and unfurls, it's discovered that a hacker hit man with a vendetta against the patient, or the pump manufacturer (or both) wirelessly hacked the device to deliver a lethal dose of insulin while sitting innocuously across the coffee shop from his unsuspecting victim, sipping a latte.
This scenario isn't as far fetched as it might seem.
Presenter Jay Radcliffe demonstrated how a program he wrote can wirelessly disable (and send a number of other commands to) his own insulin pump. What kind of hard-to-get information was required in order to hack into god mode on the insulin pump keeping him alive? Just the serial number for the pump. That's it. No, I'm not kidding.
I mean, it would probably take some reasonable programming chops. Radcliffe, according to his Linkedin profile, is a Cyber Threat Intelligence Analyst at IBM. It's ostensibly his job to identify vulnerabilities and target them for research purposes. But the reason he (and other experts like him) are doing that is because the bad guys are, too.
A recent ZDNet article pointed out how a popular Apple product ships with serial numbers and MAC addresses on the outside of the box. As many of the commenters pointed out, a lot of products now ship with their serial numbers printed on the outside of the packaging.
It is, therefore, not an unreasonable jump in logic to assume that an insulin pump might ship to a hospital with a serial number displayed on the outside of the box for all to see. It gives me the shivers.
We live in a world where there are double verification processes in place for just about everything. Even really stupid stuff. For example, today I had to click a link to confirm that it's really me wanting to sign up for a simple email newsletter about my favorite hobby, and not some other person trying to get me spammed with their newsletters.
Shouldn't there be some process by which the patient has to personally approve changes to such a powerful regulatory device, especially since it has been surgically implanted into him? Radcliffe thinks so. He also recommends password protection for the serial number.
Look, I'm not trying to scare any specific individuals here. People living with diabetes have enough to worry about. But I do kind of wish the manufacturers and decision makers in the medical industry would get scared enough to implement some kind of reasonable security measures on these types of devices.
Heck, I should think they'd be rushing to do it, if only to cover their own arses. They often appear to be uber concerned about their own liability in every other far-fetched way (sometimes to the detriment of the patients, in my opinion). It's time for them to to get cracking on a solution for this issue and others like it.
Fact of fiction? Plausible. What do you think? Share your ideas in the TalkBacks below.