by J.J. Green
May 21, 2012
expert Jerome Radcliffe,
a diabetic who
uses an insulin pump,
showed onlookers at
the 2011 Black Hat Technical Security Conference
that his pump's cyber
vulnerabilities could lead to severe consequences.
Pacemakers, brain implants, insulin
pumps and other medically implanted and external devices with
wireless interfaces are vulnerable to cyber-attacks by hackers.
A recently released Department of Homeland Security bulletin sent to
medical and cybersecurity industry professionals warns of possible
This vulnerability raises a new security risk for the average
person, high profile public figures and world leaders alike.
"One example of a common
vulnerability I've seen is a medical device with a wireless
interface, where the command and control doesn't have
cryptographic authentication," says Dr.
Kevin Fu, an associate
professor in Computer Science at the University of
Fu says a hacker, using a wireless
interface, could utilize,
"another computer or another device
to change the settings on a medical device to infuse insulin or
control the defibrillation of a heart."
The problem is,
"medical devices I've seen today
don't generally have a way to know who is issuing a command or
who is authorized," Fu says.
According to the DHS bulletin,
"Hackers can take advantage of
routine software update capabilities to gain access and,
thereafter, manipulate the implant."
The warning is not speculation. It's
based on fact.
A crowd of people witnessed exactly that last August in Las Vegas.
Security expert Jerome Radcliffe, a diabetic who uses an insulin
pump, showed onlookers at the
2011 Black Hat Technical Security
Conference that his pump's cyber vulnerabilities could lead to
He used a laptop and other computer-related gear to remotely disrupt
the wireless signals being sent to his insulin pump, reverse them,
swap the data being captured about his condition with phony data,
and then send it back to the pump.
In effect, he demonstrated he could increase the amount of insulin
injected by the pump, or reduce it, which could eventually kill him.
During the chilling demonstration, the pump gave no indication
someone had been tampered with it.
The National Cybersecurity and Communications Integration Center,
which authored the bulletin for DHS, says many devices like these,
"are vulnerable to cyber-attacks by
a malicious actor who can take advantage of routine software
update capabilities to gain access and, thereafter, manipulate
According to the American Heart
Association more than three million people have pacemakers and
600,000 are implanted each year.
"I would be more concerned with the
newer devices rather that the older devices that will eventually
be phased out," Fu says.
He says older devices are not
susceptible to the wireless vulnerabilities that newer ones are.
Global security is a particular concern because of the number of
international figures with implants. Former Vice President
Cheney was the well-publicized recipient of a pacemaker. Former
Polish President Lech Walesa has one.
There are others.
Even though their medical information is closely
guarded, the DHS bulletin raises concerns about the security of
interconnectivity introduces additional configuration challenges
between portable devices, medical IT infrastructure, remote
facilities, and partner IT infrastructure.
Portable medical devices are gaining
popularity with the introduction of iPads, smart phones and
laptops that use Windows and MAC operating systems.
These devices are currently being
used by healthcare professionals in direct patient care
settings, including in hospitals to discuss healthcare
information such as clinical tests, x-rays, and lab results with
their patients in real time."
The DHS document points out that doctors
at the University of Chicago use iPads to access patient information
and to aid with patient communication during consultations.
According to the DHS bulletin, a
security software firm discovered malware, called "The Backdoor.Bifrose.AADY," which affected iPad and iTunes users
connecting through Windows operating systems.
The Department of Health and Human Services says it is concerned
about exploitation of potential vulnerabilities of medical devices
on Medical IT networks because of misconfigured networks or poor
But Fu says there is good news.
"There is a lot of great research
going on in the academic community, in order to increase the
security of medical devices. But there has been no complete
transfer of technology to the industry. There's quite a bit more
legwork to do," he says.
Some of that work has been performed by
researchers at Purdue University and Princeton University who have
developed a proof-of-concept device, called MedMon.
It blocks hackers from hijacking or
interfering with wireless medical devices, like pacemakers, insulin
pumps, or brain implants, but is still in the developmental stages.
The companies that make these devices say they are aware of the risk
and have been working on solutions to eliminate the vulnerabilities.