The Potential for killing Diabetic patients via Hacking !!
While hackers mostly do their researches on web,mobile devices and Programmed electronics gadgets , a hacker, researcher , Security Analyst and a diabetic Jerome Radcliffe demonstrated on stage how a wire-less controlled Insulin pump can be taken control of and how a hacker can change the amount of insulin which can cause death of a patient.
While presenting his work on stage at the Black Hat 2011 Conference he said that the insulin pump and glucose monitor attached to his body all the time turns him into a SCADA(supervisory control and data acquisition) system.He tested it on his own pump which he wears all the time ,that was an O My Gosh! moment for the audience.
How Radcliffe went about it ?
Price of an insulin pump has to be lower so the Manufacturers cannot apply advance security features like encrypting on insulin pumps.Radcliffe knew that so he went on analyzing and deciphering the signals being transmitted from remote control to the pump.He couldn't decode it as it was not his field,he took it to people who could do that but no one took him seriously.At last he found out that there wasn't much need to interpret what signals are showing ,according to him you can just mess up with signals by applying DOS(Denial of Service) attack to jam them or flood them with false data.In either case insulin supply will get disturbed and repeated activity can be lethat to the victim.
Basically the pump can be reprogrammed to be controlled by a new (hacker's) remote control.The remote can carry out this attack within half a mile radius.If you successfully captures the control, you have his life in your control.
Prevention ?
While usually the cure comes after a disease ,in this case the disease is still in the making (i know it seems awkward) and lot of research is to be done .While manufacturers must also be considering this vulnerability seriously the only thing you can do to prevent it is simply turning off the remote control feature .Lets hope the hack gets neutralized even before it is fully established , otherwise its terrifying to even think about it.
While presenting his work on stage at the Black Hat 2011 Conference he said that the insulin pump and glucose monitor attached to his body all the time turns him into a SCADA(supervisory control and data acquisition) system.He tested it on his own pump which he wears all the time ,that was an O My Gosh! moment for the audience.
How Radcliffe went about it ?
Price of an insulin pump has to be lower so the Manufacturers cannot apply advance security features like encrypting on insulin pumps.Radcliffe knew that so he went on analyzing and deciphering the signals being transmitted from remote control to the pump.He couldn't decode it as it was not his field,he took it to people who could do that but no one took him seriously.At last he found out that there wasn't much need to interpret what signals are showing ,according to him you can just mess up with signals by applying DOS(Denial of Service) attack to jam them or flood them with false data.In either case insulin supply will get disturbed and repeated activity can be lethat to the victim.
Basically the pump can be reprogrammed to be controlled by a new (hacker's) remote control.The remote can carry out this attack within half a mile radius.If you successfully captures the control, you have his life in your control.
Prevention ?
While usually the cure comes after a disease ,in this case the disease is still in the making (i know it seems awkward) and lot of research is to be done .While manufacturers must also be considering this vulnerability seriously the only thing you can do to prevent it is simply turning off the remote control feature .Lets hope the hack gets neutralized even before it is fully established , otherwise its terrifying to even think about it.
About The Author
Aneeq Fasi covers hacking news at RHA. You can follow him on twtter under - https://twitter.com/#!/aneeqfasi. If you would like to become a part of our team, Kindly email to rafayhackingarticles@gmail.com.
No comments: