Hacking Medical Devices: When Will Hackers Go Too Far?

As we advance into the future, more and more medical devices are starting to go wireless.  Patients are so far enjoying their new wireless technology because it allows them to be more mobile, rather than having to be tied down to the bed because of these medical machines. Also, it allows for “less invasive monitoring and treatment methods for common diseases has also improved patient mobility. Innovations have allowed at-home patient monitoring, minimizing patient trips to the hospital and saving valuable hospital space.”

This all seems well and good, but what people fail to realize that these machines are essentially computers, and can be hacked just like everything else. Barnaby Jack showed the ability to do this last February. For Jack’s example he hacked into the insulin pumps used by diabetics. With a wave of his antenna and a push of a button, Jack has the security credentials for the pump using a program that he wrote himself. His software then instructs the pump to slowly empty it’s insulin supply into the body which will most likely be fatal, especially if the patient doesn’t know until it’s too late. Currently insulin pumps and pacemakers are the two big wireless medical devices, but there are others as well.

Thankfully, no actual attack like this has ever happened on a patient in real life. However, that raises the question of when that will happen. All it takes is one mentally disturbed person with the right know how to execute this hack. Hackers have already caused physical pain to people before, when I hacking group filled the website Epilepsy Foundation with a bunch of epileptic flashing images, sending many into seizures. What’s even scarier is that there hasn’t been that much security put in place on these devices just yet. So far there has been a prototype firewall made by researchers at Purdue and Princeton… but that’s it. You have to wonder if it’ll actually take a person’s death before we see some regulation on these devices.

http://go.bloomberg.com/tech-blog/2012-02-29-hacker-shows-off-lethal-attack-by-controlling-wireless-medical-device/

http://www.purdue.edu/newsroom/research/2012/120412RaghunathanHacking.html

http://www.medicaldevice-network.com/projects/wireless_revolution/

http://www.cbsnews.com/2100-205_162-4079730.html

Advertisements

10 thoughts on “Hacking Medical Devices: When Will Hackers Go Too Far?

  1. Having a father that’s a diabetic this makes me pretty nervous. Security is usually not in the minds of developers, and it’s definitely not on the mind of the engineers developing medical technology. Obviously having someone exploit a digital vulnerability and having a real death is significant, however I don’t think security will be implemented on medical devices until a person of political or higher social standing is a victim of this type of attack.

    • Right, I completely agree. It seems foolish of them to risk the off chance that someone exploits this.

      If I were to blow it up to a larger scale, in my opinion that would be like hospitals not using backup generators or emergency batteries on the off chance of a power outage.

  2. Since I got a bunch of questions in class I was just going to write quickly about my other presentation in here. I blurred out all of the faces because the matter is settled and no ones face needs to be floating around the Internet anymore.

    So basically my friend posted this security camera footage from his party saying that his sign got stolen (http://i.imgur.com/EXCPs.jpg) The guy on the bottom left is the one who does the sign stealing that you see in the bottom right picture, and the other two guys we believed were associated with him because they walked in with him.

    So it turns out that the guy on the top right actually doesn’t know the sign stealer, but after I posted the picture to RIT’s subreddit someone came forward with information and a Facebook page to the guy on the top left. I was doing homework at this point, but my friend was able to find the sign stealer’s Twitter with this information. On his Twitter he was nice enough to include a picture of the sign, along with a pretty cocky hashtag (http://imgur.com/RIlAU)

    Now that we knew we had the right guy we started to dig up information. I found out his name, and using that was able to find his Formspring (sadly he deleted his Facebook). From his Formspring I got his younger brother’s name and his old high school. Putting that information into Facebook I found his younger brother, and checked his mutual friends which let me find his Mom. Then putting his Mom into Google I found their home phone number, and with all of this information tied together I got a street address.

    Meanwhile, my friend dug up an old craigslist posting he made like a year ago wanting to sell his guitar, so he was able to get his actual cellphone number along with his campus email account (he didn’t go to RIT). So finally my friend calls the guy and asks politely for him to give the sign back. At first he isn’t cooperating and was saying that he already gave it away to one of his friends. We figured he’d be a douche about it, so we told him that he either gives us the sign back, or we call his parents and tell them about how he stole from us.

    He didn’t believe we actually had that information, but after giving him the names of his siblings, names and phone numbers of his parents, the school he goes to, and emailing his campus account with a Google Streetview picture of his house he finally came around.

    So basically the moral of the story is:

    1. Don’t steal something at someone’s house you don’t know when there are like 3 security cameras and THEN brag about it on Twitter.

    2. Don’t post so much information about yourself on the Internet so that any average schmuck like myself can find out pretty much every aspect of your life simply by using Google.

    (I won’t count this post as a blog reply)

  3. I found this article to be very interesting because terrorists could use technology like this to discretely assassinate their targets. I have to ask now if any terrorist groups have used exploited vulnerabilities in medical technology to kill someone?

  4. I can’t help but think about sci-fi books in regards to this one. What do we call it when the target of a crack (Jeez, we’re technical people, can we get the difference between hack and crack down?) is an individual, a device that’s a part of them? This is the direction technology is going, and swiftly.

  5. This reminds from a part of the book “The Cuckoo’s Egg” where the hacker was able to access medical research equipment and was potentially able to mess them up. He didn’t, but the fact that he could made the guy who was tracking him confident that he had to bring this guy down, even if it meant working with the U.S. military / government (he was a hippy).

  6. In such cases, it’s not about hacking anymore. In these cases hackers should think clearly that what they are doing is not funny at all. Killing somebody or being a cause of affecting somebody who has these medical devices doesn’t have anything fun and it doesn’t even bring any benefits for that hacker except having some people talk about them and that’s it.

Comments are closed.