Diabetic discovers potentially deadly flaw in insulin pumps

In an ironic twist, a life-sustaining tool for diabetics can be hacked and turned into a potentially deadly device. A diabetic researcher disclosed the potentially deadly vulnerability in wireless insulin pumps at a hackers' conference in the United States last week. Jay Radcliffe, the Type-I diabetic who found the flaw, said present devices have no authentication or encryption between the device and a Java-based tool used to adjust its settings. "What could you do were you able to talk with someone's insulin pump over the air? You could turn it off, change any and all settings on the device related to the delivery and calculation of the correct quantities of medicine they require, nearly any setting the device supports," Chester Wisniewski, a senior security advisor at computer security firm Sophos Canada - and a fellow diabetic - said in a blog post. He said what is worse is that the device has no ability to notify a user that it or its settings had been modified. Neither does it prompt a user to accept this new configuration, he said. "This could kill people if it were used by someone with malicious intent. Hopefully Radcliffe's research will result in manufacturers taking the security of medical devices much more seriously," he said. An insulin pump delivers the hormone insulin to diabetics who cannot produce insulin naturally, through multiple daily injections (MDI). Newer devices allow radio communication, reading blood sugar automatically from a continuous glucose monitor (CGM) or blood glucose meter. Radcliffe investigated and reverse engineered the radio protocol between the CGM and the pump, and found the device was vulnerable to replay attacks. However, he was so far unable to fully forge fake glucose readings. Radcliffe experimented with using a USB stick that talks to the pump over radio, since the vendor provides a Java application that can wirelessly configure the device. "This is the very scary part, there was no authentication nor encryption between the configuration tool and the device," Wisniewski said. While he said the device requires the serial number, Wisniewski said an attack is possible via social engineering or brute force. Brute force, which involves guessing the numbers, is "not out of the realm of possibility," since a device may have as few as six digits, he added. On the other hand, he said it is presently not possible to "patch" the firmware on a device - meaning it can be vulnerable for its lifetime, usually five to 10 years. — TJD, GMA News