– Hack Attacks Warning On Medical Implants (TechWeekEurope, April 10, 2012):
Insulin pumps and pacemakers can be turned off by radio control warn researchers
Security firms have warned hackers could use radio signals to attack pacemakers and other medical implants, potentially killing people.
Researchers from McAfee have shown they can take control of insulin pumps implanted inside diabetes patients, while scientists at the University of Massachussetts have shown they can use radio attacks to turn off defibrillators inside heart patients.
Hackers could kill
Implants such as pacemakers and insulin pumps, sit within patients and keep them alive. They are increasingly being given radio communications so they can be remotely controlled and updated, minimising the number of times they need to be accessed through surgery, and allowing information to be sent and received.
The problem is that the security on the radio link is breakable, and the implants’ operation can be remotely over-ridden.
Barnaby Jack, of Intel security subsidiary McAfee, has shown he can interfere with insulin pumps, by overriding their radio control. The pumps hold 300 units of insulin, enough for about 45 days, and are refilled by a syringe. Jack showed he could get the pumps to empty their reservoir completely in one go – which would cause very severe hypglycaemia (low blood sugar level). The pump has a vibrating alert when it is delivering insulin, and Jack managed to override this also, making the attack potentially deadly.
“We can influence any pump within a 300ft [91m] range,” Jack told the BBC. McAfee has previously announced products to secure embedded devices, which could include implants.
Attacks on surgical implants have been known about for some time. A group of researchers from the University of Massachussetts published a paper in 2008 dealing with attacks on implanted defibrillators, and ways to defend against them. Defibrillators are switched on using a specific radio signal when they are implanted and a hacker that captured this signal could use it to switch the implant off.
These attacks are hard to block because implants are powered by batteries. Adding features such as encryption would increase their power demands and reduce the time they would remain working, so patients would have to undergo surgery sooner to replace the batteries.