Slashdot Mirror
McAfee Claims Successful Insulin Pump Attack
judgecorp writes "Intel security subsidiary McAfee has claimed a successful wireless attack on insulin pumps that diabetics rely on to control blood sugar. While previous attempts to attack insulin pumps have met with mixed success, McAfee's Barnaby Jack says he has persuaded an insulin pump to deliver 45 days worth of insulin in one go, without triggering the pump's vibrating alert safety feature. All security experts still say that surgical implants are a benefit overall."
There is always that conspiracy theory that many if not most viruses are written by anti-virus software vendors.
After all we didn't have many viruses until these things appeared on the market.
I'm not one to believe this sort of conspiracy theory, but McAfee isn't doing themselves any favors by publicizing this.
It isn't connected.
But it could be (then you would patent it, I suppose.)
While this is interesting and all and potentially could be used at a high value directed target, as a general problem it's pretty limited. There aren't many insulin pumps out there, there are several manufacturers and I would imagine the exploit is device specific.
I'm not sure just why the manufacturer thinks the pump needs to have a wireless function though. If it needs to talk to another device, I would have used a small magnetic cable (so it doesn't get pulled out). Easy peasy as opposed to convincing a wireless device to talk to something else.
Faster! Faster! Faster would be better!
Indeed. Lots of technology benefits from wireless access but does not have adequate security, if any.
http://www.ted.com/talks/lang/en/avi_rubin_all_your_devices_can_be_hacked.html
McAfee releases an antivirus product for insulin pumps.
What special sort of sicko would do this for kicks?
Seriously? You have to ask?
Not for kicks, but lulz.
You've really never heard of security companies coming up with exploits first so they know how to solve them in case somebody else has the same idea?
I know it's naïve to even ask, but would this be used in the wild? What special sort of sicko would do this for kicks?
The Darzhavna Sigurnost (Bulgarian Secret Police) and the KGB killed Georgi Markov on a bridge in London by stabbing him in the back with an umbrella that fired a ricin filled pellet. The ability to assassinate someone by infecting their insulin pump would be a goldmine.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
So what?
If someone throws a rock into your windshield, you die. We still drive cars.
Hell, if someone sticks a knife into you, you die. Everyone uses knives.
If someone wants you dead, there are a miriad ways to do it. The problem is not with those attack vectors, but with the fact, that someone is after your life.
This is not a 'security breach', is is murder. And it takes a murderer to do it.
This is just another case of 'same old, but now on the intertubes/with a computer!!'.
An insulin pump is NOT implanted inside the user's body, and it is NOT a medical implant. A small, disposable cannula attached to the pump via plastic tubing is inserted by the user under the skin just a few mm, and is exchanged by the user every few days. There is no permanently inserted component to an insulin pump.
Also, pump's cartridges to hold insulin typically range from 200-300 units. Contrary to the article's claims, this is not 45 days worth! Someone who is not insulin resistant using a 200 unit model would get 6, 7 days out of it tops. People who use the bigger ones because they are very insulin resistant might use 300 units in just a couple of days.
The BBC article also states "Mr Jack said diabetics typically needed a dose of 5-10 units of insulin after a heavy meal to help regulate blood sugar. Making the device empty its cartridge into a host's bloodstream would cause "deep trouble"."
This is very flawed as well. Typically, insulin is taken before a meal whenever possible, and how "heavy" the meal is, is irrelevant. What matters is the user's insulin to carb ratio (how much insulin they need to properly use a gram of carbs) and how many carbs the item they eat contains. Some people require a very large amount of insulin for very small amounts of carbs, some people require barely any insulin for a large amount. Also, when a person relies on an insulin pump, they're not just adding insulin to their body during mealtimes, the vast majority will be using it to deliver a "basal" dose of insulin, or a small amount of insulin 24/7 to stay alive (as this is a function normal non-diabetic bodies perform.) They also use it to deliver corrections, or small doses of insulin in response to blood glucose levels that are higher than expected after meals or throughout the day. A pump is not just a device you use after a "heavy meal."
While it is true that an insulin cartridge unwillingly emptied into a patient poses significant danger, even without an alarm, I suspect 99% of people would be able to quickly notice such a large dose of insulin being delivered. You can see and feel insulin being delivered that rapidly. And if they happened to miss it, that's what frequent monitoring of blood glucose (which is required for all insulin pump users) is for. Sure, taking 200-300 units more than you should have would be a world of suck, but if you had access to food to eat or a sweet drink or glucose tablets, it's very likely an experienced diabetic would survive that sort of incident... to say nothing of if the cartridge wasn't full. But that's all assuming we're taking someone who has clearly made several mistakes in their reasoning for their word when they say they can access these devices.
If more security were implemented in an insulin pump, there would certainly be no "frequent surgeries to replace the batteries," as the battery is (like the entire pump) stored in an external pump. It would involve the manufacturer mailing you a replacement and you switching it out.
What special sort of sicko would do this for kicks?
Seriously? You have to ask?
one who would walk into a school or university and start shooting random people.
unfortunatly these people exsist :-(
Who needs a high-value target when you could hold any diabetic hostage for ransom? All it takes is a vulnerable wireless router with a sufficiently flexible transmitter, and the ability to scan for a nearby victim. Barring the implacable reality of device incompatibility, this is scary stuff.
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
True, but most people don't come with "instant wireless death button" enabled.
And it takes a murderer to do it.
No, in this case it takes a script kiddie.
Pretend there is some witty statement here.
I completely agree, if this gets in the wild what would stop some sociopathic miscreant from sitting outside of a wal-mart or whatever and randomly assassinating people using their insulin pumps. I don't think profit has to be a factor in the equation when the human animal is involved and a persons death is the end result.
I got here through a series of tubes
I think the fear of this comes not from the fact that it's possible, but the fact that it seems much more difficult to investigate, and thus more appealing to a would-be killer, than other forms of murder. Harder to investigate translates to less likelihood of getting caught, which in turn translates into less apprehension about committing the crime.
Help protect civil rights from abuse by the TSA - visit TSA News Blog.
http://www.tsanewsblog.com
Yes, but poison requires access. You have to be close enough to put it in the target's food or drink, or inject the target with the poison. Shooting the target leaves evidence - the bullet etc. However, this is a wireless attack, with a good antenna it probably can be done from quite far away and would leave no evidence.
Yeah but a lot of the time people don't kill other people because of the evidence trail, or just sheer inconvenience of it. If it was as easy as hitting a "run" button on your smartphone, people might not be so hesitant. The fear of being caught keeps a lot of people honest and if people didn't have that fear, how honest would people really be in today's society? I doubt that i'd have the restraint at, say, a westboro protest or a teaparty rally.
I got here through a series of tubes
There are different kinds of pumps. The most common is the type you describe, but there are in fact implantable insulin pumps which get refilled via syringe, and this is the type described in the article:
"The pumps hold 300 units of insulin, enough for about 45 days, and are refilled by a syringe."
Who needs to update their heart from 300 feet away? One of the articles discusses encryption as a solution -- because the person is an idiot. My heart doesn't have any encryption. It has one very important security feature: it doesn't talk to devices 300 feet away.
It's very easy to screw with my organs, you come up to me and you hit them. It's really easy.
So who decided that an insulin pump needed full-range wireless connectivity? How about 3 inches. 3 inches would have been great. It's already refilled by a seringe. Ignoring, for the moment, that a seringe-like probe could have updated it without anything being wireless, a simple short-range induction or vibrational signal, or even IR -- actually, IR would have been fantastic because it would have been obscured by clothing, a security device that has resulted in every doctor everywhere asking patients to disrobe, and then leaving for another random amount of time.
but no, let's use a technology designed for long-distance communication. We talk to space telescopes and voyager probes this way, so it clearly makes sense that implanted devices be accessed this same way -- you know, in case voyager wants to screw with us.
Try essentially impossible to investigate. How many people do you walk within twenty feet of in any given week? Any given year? Now imagine that any one of those people might have been the person who injected code that waits a predetermined period of time, does something bad, and then erases the location where the time delay is stored so that the original value cannot be recovered after the fact.... Or worse, overwrites the time delay with a value that implicates someone else.
Check out my sci-fi/humor trilogy at PatriotsBooks.
All it takes is a vulnerable wireless router with a sufficiently flexible transmitter, and the ability to scan for a nearby victim.
Or, you know, a gun. And anyone nearby for a victim.
Socialism: a lie told by totalitarians and believed by fools.
To be clear here, the wireless in use has nothing to do with WiFi aside from being radio communication. You cannot control/hack/disable these things with a wireless router - they require very specialized equipment to produce the correct radio signal.
Still, not great, but nothing new by a long shot.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
No! Not BB-style italics! The one true faux pas! My family's honour is destroyed!
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Ahh, but this is nearly undetectable. While some people COULD come together and go all CSI and maybe find a few suspicious people, it wouldn't be 'beyond a shadow of a doubt' to see someone standing around in front of Walmart with a backpack on.
Relative safety increases the chances some psycho is going to try to fulfill their desires. If people suddenly had a 99% chance of robbing a bank and getting away with it, there'd be a lot more bank robberies.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
I don't use a pump but the ones I've seen over here in the UK contain the insulin in cartridge form and attach to the patient's belt, with a delivery tube going to the belly. If I was wearing a pump and got an email demanding cash to save having a massive insulin dose delivered, what's to stop me physically removing the insulin delivery tube from my belly so the insulin can't be delivered, then using regular injections instead?
The fact they can be hacked is bad news bears and should be corrected but I think your hostage situation is a bit imaginary.
No, they're not implanted. Implanted pumps do exist, but it's pretty clear that they're talking about run-of-the-mill Medtronic brand external insulin pumps in the article, even if they get some of the details wrong. People still like to wear those under their clothes and control them with a wireless remote control, though.