Insulin pump hack delivers fatal dosage over the air

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2011/10/27/fatal_insulin_pump_attack/

By Dan Goodin in San Francisco
The Register
27th October 2011

In a hack fitting of a James Bond movie, a security researcher has 
devised an attack that hijacks nearby insulin pumps so he can 
surreptitiously deliver fatal doses to diabetic patients who rely on 
them.

The attack on wireless insulin pumps, made by medical devices giant 
Medtronic, was demonstrated Tuesday at theHacker Halted conference in 
Miami. It was delivered by McAfee's Barnaby Jack, the same researcher 
who last year showed how take control of two widely used models of 
automatic teller machines so he could to cause them to spit out a steady 
stream of dollar bills.

Jack's latest hack works on most recent Medtronic insulin pumps, because 
they contain tiny radio transmitters that allow patients and doctors to 
adjust their functions. It builds on research presented earlier this 
year that allowed the wireless commandeering of the devices when an 
attacker was within a few feet of the patient, and knew the serial 
number of his pump. Software and a special antenna designed by Jack 
allows him to locate and seize control of any device within 300 feet, 
even when he doesn't know the serial number.

"With this device I created and the software I created, I could actually 
instruct the pump to perform all manner of commands," Jack told The 
Register. "I could make it dispense its entire reservoir of insulin, 
which is about 300 units. I just scan for any devices in the vicinity 
and they will respond with the serial number of the device."

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn