Black Hat: Diabetic researcher finds insulin pump glitch that almost killed him

Share this article:

A security researcher, who has previously warned manufacturers about security concerns impacting insulin pumps, has uncovered a new issue in the devices that could have dangerous consequences for patients.

Jay Radcliffe, a Type 1 diabetic who works as a senior security analyst at Washington, D.C.-based firm InGuardians, revealed at Black Hat 2013 on Wednesday that a memory storage flaw greatly skewed the amount of insulin he needed to manage his blood glucose levels.

He told conference attendees that the device malfunctioned in March after he changed its battery, leading him to uncover that the insulin pump would forget important data stored in it after a battery change.

According to Radcliffe, who has brought to light insulin pump vulnerabilities before, the issue led him to mistakenly infuse himself with too much insulin to correct his glucose levels – eight units too many, to be exact.

Additionally, the issues he ran into when trying to get the manufacturer, Animas, to rectify the problem, further highlighted the fact that vendors must become more proactive in securing their products.

In June, the U.S. Food and Drug Administration warned users about the growing risk of security issues in medical devices remaining unaddressed by manufacturers.

In 2011, Radcliffe demonstrated at a previous Black Hat conference how an attacker could remotely change his insulin pump to levels that could kill him via social engineering or by running a simple computer scan.

Of his research over the years, Radcliffe said he's run into many critics who accused him of exaggerating the hacking threat to diabetics when conveying his findings.

He defended his disclosures, saying that even if the chance of hackers taking advantage of security concerns in devices was low, it didn't denote that the threat was insignificant. In fact, he said, his research has revealed quite the opposite.

“I've had a lot of people talk about the idea of sensationalizing the issue of medical device risks,” Radcliffe told attendees, later adding that “just because the risk is low, doesn't mean it can't happen” or that researchers (or users) should ignore it.

Researchers have continued to examine the threat presented by medical devices, including the late Barnaby Jack, who recently died just days prior to his scheduled Black Hat presentation on a major security vulnerability in wireless pacemakers and defibrillators.

In 2011, at the Hacker Halted show in Miami, Jack demonstrated how implantable insulin pumps made by vendor Medtronic could be compromised to deliver a fatal dose of the hormone to diabetics.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.