LAS VEGAS — The next frontier of cybercrime could be the human body, a researcher at the Black Hat Security Conference demonstrated.
In his presentation, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," Jay Radcliffe showed how a hacker could remotely hack two medical devices used to treat diabetes and trigger them to malfunction — with potentially disastrous results.
Radcliffe, a diabetic who wears an insulin pump controllable by a remote device, spent about four months developing a proof-of-concept hack on a continuous glucose meter (CGM), a wireless sensor inserted into human tissue that sends out a blood sugar reading every five minutes to a remote monitoring device.
He also put his hacking skills to work on an insulin pump that delivers insulin to the body via a subcutaneous tube on a person's midsection.
"Wireless communication with insulin pumps are not secure, they're not designed to be updated and there's no way of patching them," he told the audience. "It's not like a phone, where you can download a firmware update."
Similarly, he said, "CGM wireless results are transmitted with little to no security concerns. They've got to be vulnerable."
Shockingly, he was correct.
After digging deeper into the technical specifications of a CGM, Radcliffe found that the communication between the body sensor and its monitor is unidirectional, meaning "the sensor has no knowledge of what is receiving the data."
He then dismantled the glucose-monitoring sensor and found that the chip inside is the same one used in SCADA systems, automated computer networks that run industrial control systems.
Here's where Radcliffe got crafty.
He began launching attacks on the test CGM that caused it to deliever no signal to its user. He posited that if he could somehow capture the sensor's output signal, corrupt it and send it back to the sensor, it could trick the diabetic into thinking his blood sugar was off.
Radcliffe's exploit of the CGM stopped there. His insulin pump, however, proved easier to attack.
After researching the insulin pump's specs, Radcliffe wrote a malicious script, loaded it onto a USB device that communicates via radio frequency — the specific one he used is available on eBay for about $20 — and rigged it to remotely turn off the pump.
With not enough insulin, of course, a diabetic could experience blurry vision and long term kidney damage; with too much, he could begin sweating and experience a loss of fine motor control, respiratory failure and, eventually, death.
Radcliffe said his hardware hacking highlights just how insecure modern, everyday devices are, even ones we rely on for our own health.
"There is always a threat lurking, we can't just ignore it and think that, 'Oh it's just an insulin pump, nobody's going to hack that.' That's what we said 15 years ago about the Web," Radcliffe said. "We need to look ahead of the curve. Just because it can't be done easily, doesn't mean it can't be done. There are way too many smart people out there."