Excuse me while I turn off your insulin pump

Diabetics beware. It is possible to hack your insulin pump, from a distance, so that it can harm you rather than save your life. Other medical devices are also vulnerable to hacking in the current age of cyber insecurity. As if patients don’t have enough to worry about.

In a talk at the Black Hat security conference in Las Vegas, Jerome Radcliffe, a diabetic himself and a security researcher, showed how he figured out how to hack into insulin pumps for diabetics.

With diabetes, a patient can’t properly process sugar in his or her blood because the body can’t make enough insulin, which bonds with the sugar and turns it into fat. Patients have to inject themselves with synthetic insulin as many as several times a day to keep their blood sugar under control. If they have too little or too much sugar in their blood, the results can be incapacitating or even life threatening.

Insulin pumps use wireless sensors that detect blood sugar levels and then communicate the data to a screen on the insulin pump. The patient can monitor the readings and inject the insulin as needed. Radcliffe reverse-engineered the pumps and the wireless connectivity and figured out that the system was relatively unprotected. It was configured much more like a dumb device where the manufacturers assumed no one would try to hack it.

There was no encryption, since that requires more complicated processing and would make the battery for the device run out faster. The sensor has to run on a 1.5-volt watch battery for two years. Adding encryption also makes the device more expensive. Once Radcliffe, who has used insulin pumps for a while and has been a diabetic since he was 22, understood how the devices worked, it was relatively simple to figure out how to hack them.

“I can get full remote control” of someone else’s insulin pump, Radcliffe said. “If I were an evil hacker, I could issue commands to give insulin, without anyone else’s authority. This is scary. And I can manipulate the data so it happens in a stealth way.”

Radcliffe, who really wants to educate people on how to better protect medical devices, explained how he figured out how to hack insulin pumps, which rely on wireless connectivity and are therefore vulnerable to being intercepted and compromised.

Radcliffe tackled the problem of hacking the wireless sensors that collect blood sugar information and transmit it to the insulin pump. He had to figure out what kind of chips are used in the sensors. Since the devices emit wireless signals, the manufacturers have to submit designs to the Federal Communications Commission, which investigates whether the device emits anything harmful. Those filings contained valuable information on how the devices operated, Radcliffe said. The data-sheets for the chips also provided good information, and the patent for the $6,000 or so insulin pump was also useful.

Then Radcliffe went through the process of deciphering what the wireless transmissions meant. These transmissions are not encrypted, since the devices have to be really cheap. The transmissions are only 76 bits and they travel at more than 8,000 bits per second. To review the signal, Radcliffe captured the signal with a $10 radio frequency circuit board and then used an oscilloscope to analyze the bits.

He captured two 9-millisecond transmissions that were five minutes apart. But they came out looking like gibberish. He captured more transmissions. About 80 percent of the transmissions had some of the same bits. He reached out to Texas Instruments for help but didn’t have much luck. He told the TI people what he was doing and they decided not to help him.

That was as far as he got on deciphering the wireless signal from the sensor, since there was no documentation that really helped him there. He couldn’t understand what the signal said, but he didn’t need to do that. So he tried to jam the signals to see if he could stop the transmitter. With a quarter of a mile, he figured out he could indeed mess up the transmitter via a denial of service attack, or flooding it with false data.

The problem for manufacturers is that the wireless connection on the insulin pump is also not secure. He wrote a “scanner” program that could query for the device’s wireless signal and it pretty much gave itself away with no encryption to interfere with the scanning. If you can get the serial number of the specific device, you can use that to devise a transmission that issues an instruction to it. Radcliffe can control the pump from a distance. He did it on one device that he owns, not a series of devices, since it was his own personal research. He doesn’t know if some pumps are more secure. He isn’t disclosing the vendor yet, but he will work with the vendor to help create a solution.

Noting that he hacked his own device, Radcliffe added, “That’s another reason I am not disclosing all the technical details. I won’t give out details on how to kill me in the middle of a hacker conference. Lives are at stake here.”

Radcliffe figured out that if he reversed the format of the signal, he could then capture a transmission identification and then retransmit it with fake data. That would cause the insulin pump to inject too much or too little insulin into the person’s bloodstream, potentially killing the patient. The pump did nothing to inform the patient that its data had been altered.

Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the Defcon security conference showed how he could turn off someone’s pacemaker.

Radcliffe says that next-generation pumps may use Bluetooth wireless radio, which has also been hacked in the past. Research is being done into whether the pumps and the sensors can be integrated so that humans don’t have to make their own assessments about how much insulin they need.

Radcliffe believes that the designs can be improved with more password protection, encryption and other security-minded design tips. Brad Smith, another security tech expert and a registered nurse, said that the problem of medical device hacking has been around for a long time. He said, “It’s just not his insulin pump. It’s also in other devices.”

Smith said the history of these devices is a “litany of disaster” when it comes to security.

“I’m hoping we can get together to do something about this,” Radcliffe said.