InnovationSecurityWorkspace

Hack Attacks Warning On Medical Implants

heartpacemakerimplanttop - © Dmitry Skvorcov - Fotolia.com
0 0 7 Comments

Insulin pumps and pacemakers can be turned off by radio control warn researchers

Security firms have warned hackers could use radio signals to attack pacemakers and other medical implants, potentially killing people.

Researchers from McAfee have shown they can take control of insulin pumps implanted inside diabetes patients, while scientists at the University of Massachussetts have shown they can use radio attacks to turn off defibrillators inside heart patients.

Hackers could kill

pacemaker heart medicine © picsfive - Fotolia.comImplants such as pacemakers and insulin pumps, sit within patients and keep them alive. They are increasingly being given radio communications so they can be remotely controlled and updated, minimising the number of times they need to be accessed through surgery, and allowing information to be sent and received.

The problem is that the security on the radio link is breakable, and the implants’ operation can be remotely over-ridden.

Barnaby Jack, of Intel security subsidiary McAfee, has shown he can interfere with insulin pumps, by overriding their radio control. The pumps hold 300 units of insulin, enough for about 45 days, and are refilled by a syringe. Jack showed he could get the pumps to empty their reservoir completely in one go – which would cause very severe hypglycaemia (low blood sugar level). The pump has a vibrating alert when it is delivering insulin, and Jack managed to override this also, making the attack potentially deadly.

“We can influence any pump within a 300ft [91m] range,” Jack told the BBC. McAfee has previously announced products to secure embedded devices, which could include implants.

Attacks on surgical implants have been known about for some time. A group of researchers from the University of Massachussetts published a paper in 2008 dealing with attacks on implanted defibrillators, and ways to defend against them.  Defibrillators are switched on using a specific radio signal when they are implanted and a hacker that captured this signal could use it to switch the implant off.

These attacks are hard to block because implants are powered by batteries. Adding features such as encryption would increase their power demands and reduce the time they would remain working, so patients would have to undergo surgery sooner to replace the  batteries.

Think you know security? Test yourself with our quiz.

  1. It would help if the devices were identified. I am not familiar with pumps that hold 45 days worth of insulin? Insulin should be kept cool, and the ones that I am familiar with only hold about 3 days.

  2. Uh, 300 units over 45 days is only 6.66 units per day. That is about one eighth to one thirteenth of the normal amount of insulin required by adults over the course of a day. I take 70 to 80 units per day and have for years – and that’s not uncommon for a type 1 diabetic.
    It’s still a risk – I wouldn’t want to get three days worth of insulin in a couple of minutes. That could make the rest of the day very rough at best!
    News writers should reality check their numbers – 6.6 units might be OK for an experimental animal, but not for adult humans.

  3. Thanks for your comments.

    We are planning to talk directly to Barnaby Jack and will nail down what kind of pump he actually worked with.

    Peter

  4. Potentially, anything connected can be hacked.

    This is nothing more than propaganda to throw a dark cloud over “hacktivists”.