Hacker Barnaby Jack demonstrated a closer-to-life, dangerous application of his trade recently.
Hacking, be it into bank cash machines or websites including social networking sites, is common as hackers find more ways to bypass the upgraded security systems. The results vary from inconvenience to confusion to loss of money among other serious implications. But none has been ones which cause real-life pain. Jack’s demonstration shows otherwise.
Jack, a researcher with McAfee Inc, shot into fame after hacking into a cash machine and making it spit money on stage during the Black Hat Computer Security Conference in 2010. He is currently working on finding security soft spots in wireless medical devices. And the 34-year-old, with his latest stunt, showed how prone these life-saving devices are to hacking and outside manipulation. With a radio device, Jack showed how a common insulin pump — which is implanted inside the body of a diabetic patient to deliver prescribed doses of the chemical into the bloodstream — can be hacked to deliver doses higher than required, triggering fatal consequences.
He used an antenna and a see-through mannequin fitted with a plastic bag of clear liquid (in place of pancreas) attached inside for his demonstration. With the push of a button on his laptop, the antenna located and hacked into the security system controlling the program of the insulin pump attached to the mannequin’s hip. His software then instructed the pump to push its contents into the “pancreas” through a small tube.
This small demonstration has thrown open a huge debate about the safety of Insulin pumps, pacemakers and other medical devices which use wireless communications.
To make matters worse these devices have to be recalled for updates and cannot have security updates automatically like in mobiles or computers. So security fixes are out of the question. Jack’s findings will be presented at the RSA security conference in San Francisco.
Debates on the security issues of medical devices have been there before too. In 2008, a study found that a pacemaker-defibrillator from a popular manufacturer can be remotely reprogrammed to deliver fatal shocks.
Last year, Idaho-based hacker Jay Radcliffe, a diabetic patient himself, showed how hackers could tinker into the bestselling pump.
Radcliffe’s effort resulted in a huge uproar and the Government Accountability Office (GAO) launched an investigation to look into whether the medical device industry’s cyber security systems are good enough.
Jack’s efforts take hack-attack a step further. He can use his program to scan a public space and find vulnerable pumps made by Medtronic Inc, a Minneapolis-based firm. He can then force the pumps to dispense fatal insulin doses.
Jack’s program is something that anyone can replicate and sell online and the results would be catastrophic.
Medtronic has already taken steps to cover the loop holes in its devices. The company has hired security teams from Argonne National Laboratory, Symantec Corp. and Wurldtech Security Technologies Inc. to inspect its products and is coordinating with the Department of Homeland Security to make remedial measures.
But that will take years to implement and by that time things could make a turn for the nasty.
Jack is working though – to find means to forcibly get into the device’s electronics and upgrade its security.