Jay Radcliffe's work illustrates that hacking can be a matter of life and death. A Type 1 diabetic since the age of 22, Radcliffe has spent the last two years immersed in a struggle to get manufacturers of insulin pumps to show more concern for security.
He first attracted attention in 2011 at a Black Hat conference where he showed how his pump, manufactured by market leader Medtronic, was vulnerable to a remote takeover.
“It was spawned by curiosity,” says Radcliffe. “Someone at a DefCon had illustrated how you could hack the parking meters in San Francisco, and a friend of mine suggested I try that with my pump. I thought that would be neat.”
What he discovered – that his device was protected by a mere six-digit security code – shocked him. After a bit of reverse engineering, he was able to remotely alter the flow of insulin to fatal levels or turn off the device completely. He found that, given the right amount of expertise, the hacker could be up to a mile away from the target device.
“That was kind of disturbing,” he says. “There are about 500,000 insulin pumps in use worldwide, and my guess is that a large percentage of them are vulnerable. Pacemakers are susceptible, too.”
In 2013, Radcliffe was back at Black Hat, demonstrating that a memory storage flaw – discovered after he changed the battery on his Animas-manufactured pump – allowed him to be infused with eight times the amount of insulin he requires.
Occupation: Senior security analyst, InGuardians College: Wayne State University, SANS Technical Institute
Accomplishments: At BlackHat 2011, among the first to present a live demonstration of security weaknesses in insulin pumps.
The initial response from manufacturers to his warnings was extremely negative, but once Congress took an interest in the matter the environment began to change. However, as Radcliffe points out, the congressional investigations have revealed that no one agency – not the U.S. Food and Drug Administration (FDA) nor the Federal Communications Commission – is responsible for ensuring the security of digital medical devices sold in the United States.
“Congress asked how something like these security breaches could go unchecked by federal regulators,” says Radcliffe, “but the response has really been mixed.”
He is encouraged that some manufacturers have begun calling his company, Washington-based InGuardians, to consult on security issues, and says the FDA is working hard to address the issues under its jurisdiction.
As the public became aware of his warnings – as well as those from other medical device hackers, like the late Barnaby Jack – some people began criticizing him for speaking out.
“I heard a lot about how this would slow progress on medical devices,” he says.
Far from seeing his warnings as a hinderance to technological progress, he believes that his demonstrations of security vulnerabilities present manufacturers with an opportunity to innovate as the demand grows for medical products with remote connectivity.
“We have an aging population and an increasing need to provide diagnostic services at a distance,” he says. “We need to strike a balance between the cost savings and safety.”
As to why manufacturers have not previously addressed the security of wireless devices that control their users' lives, Radcliffe is at a loss.
“If the current climate has shown us anything, it is that you have to do security all the time. We would not think of leaving the doors of our houses unlocked, and yet we are not there yet with devices like these. I think a lot of people are still really flippant about the danger they present, but this is not like losing your password or having your online identity compromised.”
As interest – from government, manufacturers and the general public – increases, Radcliffe hopes to continue to play a role in shining a light on the dark corners of medical devices.
“For me, this is not just research. I'm literally connected to it.”