Incident Response, Network Security, TDR, Vulnerability Management

Black Hat: Diabetic researcher finds insulin pump glitch that almost killed him

A security researcher, who has previously warned manufacturers about security concerns impacting insulin pumps, has uncovered a new issue in the devices that could have dangerous consequences for patients.

Jay Radcliffe, a Type 1 diabetic who works as a senior security analyst at Washington, D.C.-based firm InGuardians, revealed at Black Hat 2013 on Wednesday that a memory storage flaw greatly skewed the amount of insulin he needed to manage his blood glucose levels.

He told conference attendees that the device malfunctioned in March after he changed its battery, leading him to uncover that the insulin pump would forget important data stored in it after a battery change.

According to Radcliffe, who has brought to light insulin pump vulnerabilities before, the issue led him to mistakenly infuse himself with too much insulin to correct his glucose levels – eight units too many, to be exact.

Additionally, the issues he ran into when trying to get the manufacturer, Animas, to rectify the problem, further highlighted the fact that vendors must become more proactive in securing their products.

In June, the U.S. Food and Drug Administration warned users about the growing risk of security issues in medical devices remaining unaddressed by manufacturers.

In 2011, Radcliffe demonstrated at a previous Black Hat conference how an attacker could remotely change his insulin pump to levels that could kill him via social engineering or by running a simple computer scan.

Of his research over the years, Radcliffe said he's run into many critics who accused him of exaggerating the hacking threat to diabetics when conveying his findings.

He defended his disclosures, saying that even if the chance of hackers taking advantage of security concerns in devices was low, it didn't denote that the threat was insignificant. In fact, he said, his research has revealed quite the opposite.

“I've had a lot of people talk about the idea of sensationalizing the issue of medical device risks,” Radcliffe told attendees, later adding that “just because the risk is low, doesn't mean it can't happen” or that researchers (or users) should ignore it.

Researchers have continued to examine the threat presented by medical devices, including the late Barnaby Jack, who recently died just days prior to his scheduled Black Hat presentation on a major security vulnerability in wireless pacemakers and defibrillators.

In 2011, at the Hacker Halted show in Miami, Jack demonstrated how implantable insulin pumps made by vendor Medtronic could be compromised to deliver a fatal dose of the hormone to diabetics.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.