Security firms have warned hackers could use radio signals to attack pacemakers and other medical implants, potentially killing people.
Researchers from McAfee have shown they can take control of insulin pumps implanted inside diabetes patients, while scientists at the University of Massachussetts have shown they can use radio attacks to turn off defibrillators inside heart patients.
The problem is that the security on the radio link is breakable, and the implants’ operation can be remotely over-ridden.
Barnaby Jack, of Intel security subsidiary McAfee, has shown he can interfere with insulin pumps, by overriding their radio control. The pumps hold 300 units of insulin, enough for about 45 days, and are refilled by a syringe. Jack showed he could get the pumps to empty their reservoir completely in one go – which would cause very severe hypglycaemia (low blood sugar level). The pump has a vibrating alert when it is delivering insulin, and Jack managed to override this also, making the attack potentially deadly.
“We can influence any pump within a 300ft [91m] range,” Jack told the BBC. McAfee has previously announced products to secure embedded devices, which could include implants.
Attacks on surgical implants have been known about for some time. A group of researchers from the University of Massachussetts published a paper in 2008 dealing with attacks on implanted defibrillators, and ways to defend against them. Defibrillators are switched on using a specific radio signal when they are implanted and a hacker that captured this signal could use it to switch the implant off.
These attacks are hard to block because implants are powered by batteries. Adding features such as encryption would increase their power demands and reduce the time they would remain working, so patients would have to undergo surgery sooner to replace the batteries.
Think you know security? Test yourself with our quiz.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
hypoglycemia
It would help if the devices were identified. I am not familiar with pumps that hold 45 days worth of insulin? Insulin should be kept cool, and the ones that I am familiar with only hold about 3 days.
Uh, 300 units over 45 days is only 6.66 units per day. That is about one eighth to one thirteenth of the normal amount of insulin required by adults over the course of a day. I take 70 to 80 units per day and have for years - and that's not uncommon for a type 1 diabetic.
It's still a risk - I wouldn't want to get three days worth of insulin in a couple of minutes. That could make the rest of the day very rough at best!
News writers should reality check their numbers - 6.6 units might be OK for an experimental animal, but not for adult humans.
Thanks for your comments.
We are planning to talk directly to Barnaby Jack and will nail down what kind of pump he actually worked with.
Peter
There are implantable pumps and they use concentrated insulin. See http://lukesdday.wordpress.com/2011/04/26/implanted-insulin-pump/
That said, I share concern for the non-implantable variety, too.
Potentially, anything connected can be hacked.
This is nothing more than propaganda to throw a dark cloud over "hacktivists".
I think I'm going to start manufacturing wearable Farraday cages.