Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Insulin Pump Hack Controversy Grows

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 29 Aug 2011 04:27:47 -0500 (CDT)
http://www.informationweek.com/news/security/vulnerabilities/231600265

By Mathew J. Schwartz
InformationWeek
August 26, 2011
At least four models of insulin pumps sold by Medtronic are vulnerable to being wirelessly hacked. In particular, an attacker could remotely disable the pumps or manipulate every setting, including the insulin dosage that's automatically delivered--every three minutes--to the user.
That was the report given by security researcher Jerome Radcliffe at a press conference on Thursday. Radcliffe, himself a diabetic, demonstrated the pump vulnerability earlier this month at the Black Hat conference in Las Vegas, by remotely disabling his own insulin pump live on stage. Executing the attack required less than 60 seconds, and would work from up to 100 feet away using Radcliffe's demonstration setup. But with some modifications, he said, an attack could be made to work from up to half a mile away.
At the time, Radcliffe declined to name the manufacturer or model of his pump, and obscured everything but the pump's LCD panel when demonstrating the attack. Following ethical disclosure guidelines, Radcliffe said he wanted to give the vendor time to address the flaws, which he exploited using a radio frequency transmitter and 10 lines of Perl code.
On Thursday, however, Radcliffe named names, saying that the vulnerable pumps are the Medtronic Paradigm 512, 522, 712, and 722. Radcliffe said that he'd been dismayed by the lack of "honest public discourse" on the part of Medtronic, which is the number-one seller of insulin pumps in the United States. For the first time, he also disclosed that the radio frequency transmitter that he'd used in the exploit was the Medtronic Minimed Comlink (model number MMT-7304NA) that shipped with his insulin pump, and which is available new, via eBay, for $20. Finally, Radcliffe said his attempts at helping Medtronic quickly identify the underlying issues, so that it could explore a fix, had failed due to its ignoring, obfuscating, or outright lying--in its press releases--about the vulnerability. 

[...]


_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/
Previous By Date Next
Previous By Thread Next

Current thread: