SecurityTube

Medical device hacking - FDA are told to start taking it seriously

JB

The US Government Accountability Office (GAO), prodded by Congress, has put out a new report [PDF] recommending that the US Food and Drug Administration (FDA) start thinking about how to secure insulin pumps and implantable cardioverter defibrillators from being vulnerable from targeted attacks.

As the report states, researchers have recently demonstrated the potential for incidents resulting from intentional threats in the two devices.

One example is the work done by McAfee's Barnaby Jack who, in October 2011, succeeded in overriding an insulin pump's radio control and its vibrating alert safety feature.

Cartridges in such pumps hold up to 300 units of insulin (capacity varies by manufacturer).

That's enough to last a typical diabetic one to two weeks (dosing varies depending on diet, subject weight, and insulin sensitivity), but Jack managed to dump an entire cartridge in one go.

That's a potentially lethal dose that can be delivered without the diabetic knowing about it, given that Jack managed to disable the alarm.

Jack's attack works on most late-model Medtronic insulin pumps, which have tiny radio transmitters that let patients and doctors adjust functions.