Despite warning after warning – the bad news regarding the security of medical devices keeps rolling in. Late last week, news broke that a researcher from Rapid7 had identified ways to remotely exploit an insulin pump through Radio Frequency (RF) communication.
While the risk is low that such attacks would be widespread, the risk is not insignificant. According to the researcher, the at-risk insulin pump system doesn’t encrypt the wireless communications in its wireless management protocol. “
Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used in an attack) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” the blog post detailing the research stated.
Prior to publication of the findings on the insulin pump vulnerabilities, the vendor, the U.S. CERT/CC, the FDA and DHS were all notified. According to Rapid7, the pump maker actively notified its customers about the risks and provided recommended mitigations.
What’s bugged me about this story, and most of the coverage around it (and I think it should concern you too or at least you should be aware) is that this isn’t the first time something like this has happened.
Way back in 2011, at the conference of an anti-virus vendor, a security researcher Barnaby Jack (Barnaby, or “Barnes” as he was known among friends, tragically passed away three years ago), revealed how it was possible to wirelessly compromise an insulin pump.
In his demonstrated attack, he gained total control of the pumps and could have delivered sequential maximum insulin doses until the unit was emptied. This attack would be lethal to most people. In later research, Barnes showed a crowd at the RSA Security Conference that it was possible to perform this attack up to just under 100 yards away if a special antenna was used.
Surely such attacks are not a substantial concern for most people, but they should be for politicians, business leaders, activists and others in the public eye.
These types of risks aren’t unique to insulin pumps. At the DerbyCon security conference last year, researchers demonstrated how thousands of medical devices, such as X-Ray machines, other types of drug infusers, MRI scanners and more, were all at-risk to attack. Some devices were not secure because of bad design, others were managed poorly by hospitals or medical providers.
Such defective designs shouldn’t be tolerated by consumers of these devices – nor should it be tolerated by insurers or the medical community. Medical devices that are open to wireless access need to be properly designed and built so as not to add new risks to patients.
Should our devices know when we’re stressed?