Security researcher Barnaby Jack has taken the threat of hacked medical devices to a new level after conducting a live hack of an insulin pump during last week's Hacker Halted conference in Miami.
Jack's demonstration was a followup to Jay Radcliffe's August hack of an insulin pump at the Black Hat conference in Las Vegas, but with a new twist: Where Radcliff had the advantage of already knowing the unit's six digit identification number, Jack used an antenna and receiver to remotely scan for the targeted device.
"You're not meant to be able to grab serial numbers out of the air. This tool I developed should be able to scan the frequency for these pumps, retrieve the pump ID, and with that pump I can then dispense insulin, suspend the pump, resume it and that type of thing," Jack said during the presentation.
Jack was able to use the antenna apparatus he designed to identify and isolate a device utilized by his demonstration volunteer, identified only as "Anthony", prior to taking control of the device.
Once the unit was isolated and the device's serial number confirmed for safety reasons, Jack demonstrated how he could remotely change the unit's delivery of insulin to the intended victim.
"Three or four units [of insulin] would be a serious problem. Ten units would probably send me to hospital for sure. The whole reservoir, when it's full, holds 300 units, and that's between a three and a four day supply," said Anthony.
Jack then instructed the unit to deliver what would be a potentially lethal dose, which was shown to the audience by way of a video camera set to up to capture the insulin release in real time.
Needless to say, the attendees were shocked at the demonstration.
Following the August hack by Radcliffe, the insulin pump manufacturer had issued statements dismissing the likelihood of a real-world attack, given that Radcliffe had prior knowledge of the hacked device's unique product identification number.
"The researcher was only able to hack his own pump using in-depth knowledge about the product. He also had access to specialised equipment... We also consider it a very unlikely event, and we strongly believe it would be extremely difficult for a third party to wirelessly tamper with your insulin pump," they contended.
Jack's demonstration negates the company's argument that the devices are relatively secure as long as an attacker does not have the information required to carry out the attack.
"I think for the most part medical devices have been overlooked by security researchers, but they're used in critical applications. Compromise these devices [and] there's a very real-world effect," Jack stated.