Black Hat: Diabetic researcher finds insulin pump glitch that almost killed him

Share this article:

A security researcher, who has previously warned manufacturers about security concerns impacting insulin pumps, has uncovered a new issue in the devices that could have dangerous consequences for patients.

Jay Radcliffe, a Type 1 diabetic who works as a senior security analyst at Washington, D.C.-based firm InGuardians, revealed at Black Hat 2013 on Wednesday that a memory storage flaw greatly skewed the amount of insulin he needed to manage his blood glucose levels.

He told conference attendees that the device malfunctioned in March after he changed its battery, leading him to uncover that the insulin pump would forget important data stored in it after a battery change.

According to Radcliffe, who has brought to light insulin pump vulnerabilities before, the issue led him to mistakenly infuse himself with too much insulin to correct his glucose levels – eight units too many, to be exact.

Additionally, the issues he ran into when trying to get the manufacturer, Animas, to rectify the problem, further highlighted the fact that vendors must become more proactive in securing their products.

In June, the U.S. Food and Drug Administration warned users about the growing risk of security issues in medical devices remaining unaddressed by manufacturers.

In 2011, Radcliffe demonstrated at a previous Black Hat conference how an attacker could remotely change his insulin pump to levels that could kill him via social engineering or by running a simple computer scan.

Of his research over the years, Radcliffe said he's run into many critics who accused him of exaggerating the hacking threat to diabetics when conveying his findings.

He defended his disclosures, saying that even if the chance of hackers taking advantage of security concerns in devices was low, it didn't denote that the threat was insignificant. In fact, he said, his research has revealed quite the opposite.

“I've had a lot of people talk about the idea of sensationalizing the issue of medical device risks,” Radcliffe told attendees, later adding that “just because the risk is low, doesn't mean it can't happen” or that researchers (or users) should ignore it.

Researchers have continued to examine the threat presented by medical devices, including the late Barnaby Jack, who recently died just days prior to his scheduled Black Hat presentation on a major security vulnerability in wireless pacemakers and defibrillators.

In 2011, at the Hacker Halted show in Miami, Jack demonstrated how implantable insulin pumps made by vendor Medtronic could be compromised to deliver a fatal dose of the hormone to diabetics.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.