Jerome Radcliffe scared a lot of people — including himself, since he is a diabetic — when he showed how easy it was to hack an insulin pump from a distance at the Black Hat security conference in Las Vegas early this month.
At the time, Radcliffe didn’t disclose the names of vendor names or models. He withheld the information to stay within legal boundaries, to protect himself, and to make sure he did not arm criminal hackers with the means to undertake the actual hacks. Today he revealed in a conference call that the company in question was Medtronic and it has not acknowledged that there is a security risk.
“I chose not to disclose the details to protect the public safety of diabetics,” he said today in a conference call. But that was before he ran into a brick wall with Medtronic.
Now he has worked with the Department of Homeland Security and the Computer Emergency Response Team to contact the vendor of insulin pumps. He said he expected to get honest, public disclosure from the vendor about what it would do to fix the problem.
“I expect a company to be truthful with any press statements and to do fact checking,” he said. “I expect a comprehensive solution in a timely manner.”
Today, Radcliffe revealed that the company was Medtronic, which had an engineer available at his talk in early August. Radcliffe said that on Aug. 9, Medtronic posted a statement on its web site that says it wasn’t really a security problem. Radcliffe was unsettled by that and emailed the engineer again. On Aug. 12, the DHS contacted the company and got no response. On Aug. 15, Congress sent a letter to the General Accounting Office asking for an investigation. And on Aug. 24 Medtronic gave an Associated Press reporter the same reinforced PR statement. CERT also contacted Medtronic.
“Medtronic takes very seriously the issue of information security of its devices,” the company said in a statement. “It’s an integral part of the very fabric of our product design processes.” It also said, “To our knowledge, there has never been a single reported incident of wireless tampering outside of controlled laboratory experiments in more than 30 years of use.”
The company made a point to minimize the importance of Radcliffe’s work, which prompted Radcliffe’s follow-up call with reporters today.
“It was really disappointing to me they would publish this information without doing any fact-checking whatsoever,” Radcliffe said. “You should contact Medtronic and let them know you find this type of behavior unacceptable. If you are a customer, you should demand they take this issue seriously and be truthful.”
With diabetes, a patient can’t properly process sugar in his or her blood because the body can’t make enough insulin, which bonds with the sugar and turns it into fat. Patients have to inject themselves with synthetic insulin as often as several times a day to keep their blood sugar under control. If they have too little or too much sugar in their blood, the results can be incapacitating or even life threatening.
Insulin pumps use wireless sensors that detect blood sugar levels and then communicate the data to a screen on the insulin pump. The patient can monitor the readings and inject the insulin as needed. Radcliffe reverse-engineered the pumps and the wireless connectivity and figured out that the system was relatively unprotected. It was configured more like a dumb device where the manufacturers assumed no one would try to hack it.
There was no encryption, since that requires more complicated processing and would make the battery for the device run out faster. The sensor has to run on a 1.5-volt watch battery for two years. Adding encryption?also makes the device more expensive. Once Radcliffe,?who has used insulin pumps for a while and has been a diabetic since he was 22,?understood how the devices worked, it was relatively simple to figure out how to hack them.
Radcliffe says he really wants to educate people on how to better protect medical devices. He explained how he figured out how to hack insulin pumps, which rely on wireless connectivity and are therefore vulnerable to being intercepted and compromised.
At Black Hat, Radcliffe tackled the problem of hacking the wireless sensors that collect blood sugar information and transmit it to the insulin pump. He had to figure out what kind of chips are used in the sensors, which he did with some digging. Since the devices emit wireless signals, the manufacturers have to submit designs to the Federal Communications Commission, which investigates whether the device emits anything harmful. Those filings contained valuable information on how the devices operated, Radcliffe said. The data-sheets for the chips had good information, and the patent for the $6,000 or so?insulin pump was also useful.
Once he IDed the sensor, Radcliffe went through the process of deciphering what the?wireless transmissions meant. These?transmissions are not?encrypted, since the devices have to be really cheap. The transmissions are only 76 bits and they travel at more than 8,000 bits per second. To review the signal, Radcliffe captured it with a $10 radio frequency circuit board and used an oscilloscope to analyze the bits.
He captured?two 9-millisecond transmissions that were five minutes apart. But they?came out looking like gibberish.?He captured more transmissions. About 80 percent of the transmissions had some of the same bits. He reached out to Texas Instruments for help but didn’t have much luck. He told the TI people what he was doing and they decided not to help him.
That was as far as he got on deciphering the wireless signal from the sensor, since there was no documentation that really helped him there. He couldn’t understand what the signal said, but he didn’t need to do that. So he tried to jam the signals to see if he could stop the transmitter. With a quarter of a mile, he figured out he could indeed mess up the transmitter via a denial of service attack, or flooding it with false data.
The problem for manufacturers is that the wireless connection on the insulin pump is also not secure. He wrote a “scanner” program that could query for the device’s wireless signal and it pretty much gave itself away with no encryption to interfere with the scanning. If you can get the serial number of the specific device, you can use that to devise a transmission that issues an instruction to it. Radcliffe can control the pump from a distance. He did it on one device that he owns, not a series of devices, since it was his own personal research. He doesn’t know if some pumps are more secure. He isn’t disclosing the vendor yet, but he will work with the vendor to help create a solution.
Radcliffe figured out that if he reversed the format of the signal, he could then capture a transmission identification and then retransmit it with fake data. That would cause the insulin pump to inject too much or too little insulin into the person’s bloodstream, potentially killing the patient. The pump did nothing to inform the patient that its data had been altered.
Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the?Defcon security conference?showed how he could turn off someone’s pacemaker.
Radcliffe says that next-generation pumps may use Bluetooth wireless radio, which has also been hacked in the past. Research is being done into whether the pumps and the sensors can be integrated so that humans don’t have to make their own assessments about how much insulin they need.
Radcliffe said he has ordered a new insulin pump from a Medtronic rival, Animas. The vulnerable pumps are the Paradigm models 512, 522, 712, and 722. He said that the risks are still low in terms of a hacking attack against individual users. But he said users should be concerned about the behavior of companies.
“I can’t continue supporting a company I find unethical,” he said. “I will continue to be committed to fully disclosing and cooperating with Medtronic no matter what their conduct is. Public safety is the top security.”
Next Story: Electronic Arts’ The Sims Social hits 4.6 million daily players a week after?launchPrevious Story: Google brings voice search to?Maps Tags: Black Hat, hackers, insulin pumps, securityPeople: Jay Radcliffe
Just one week after Slide’s Photovine photosharing app officially debuted, it appears that trouble is afoot for the Google-owned social app startup.
Storied venture capital firm Sequoia Capital is in the process of raising a new growth fund and principals fund, the firm has confirmed with VentureBeat.
Everyone’s talking about Steve Jobs resigning as CEO at Apple (just like they did in 1985, image at left) but a few publications are doing it in unique ways. Here are my top 10 favorite resignation stories.
Potential employers are going to search for you, it happens. But Google can be a fickle mistress. That’s why Vizibility has raised $1.3 million in a follow-on seed round to give you the Googling power back.
mpany. Company prices range from $30-$200 a year and individual prices range from free to $10 a month. Dependent on what level you purchase, you will receive the Vizibility button and wizard along with a personal QR code, Twitter and Facebook updates that appear when people search for you, a report when your search results change in Google, a “button report” showing who uses your button, and more.
Electronic Arts’ latest Facebook game, The Sims Social, has picked up more than 4.6 million daily active users after launching a week ago, according to AppData.
Facebook has scheduled its f8 conference for Sept. 22 in San Francisco. The all-day event is where the company’s engineers and product teams will highlight “new tools along with best practices for developers and partners building the next generation of social practices.”
Location-based social network Gowalla is trimming its feature set to improve the overall user experience, according to Gowalla founder and CEO Josh Williams, who made the announcement in a blog post Thursday.
With all of the supernatural success swirling around legendary Apple CEO Steve Jobs as he steps down from the position, it’s easy to forget that he’s human. Michael Dhuey, 53, had two opportunities to experience the real Jobs through working with him.
M.M. Faulkner recently abandoned her 5+ years as a vintage clothing dealer to return to writing. Her blog?www.payattentionpeople.com?focuses on social media, technology, communication and society. You can follow her @payattentionppl or at?gplus.to/polarizedconsumer.
Verizon Wireless won’t be joining the release party for Samsung’s upcoming Galaxy S II smartphone, the Wall Street Journal reports.
Online voice and video communication service Skype recently opened a new directory site for third-party applications.
“I don’t cargo cult often, but when I do, I do it with Node.js.”
Check out DevBeat, VentureBeat’s brand new channel specifically for developers. The channel will break relevant news and provide insightful commentary aimed to assist developers. DevBeat is sponsored by the Intel AppUp developer program.
Verizon on Thursday announced it will purchase cloud services firm CloudSwitch with the intent of boosting its enterprise and IT offerings.
VentureBeat inadvertently stirred up a storm of controversy when we published a guest post about marketing automation.
Joe Chernov, Eloqua: For the most part, marketing automation requires a customer relationship management system. Sometimes when someone who has never heard of the category before asks me what marketing automation is, I’ll tell them, “Think of your CRM system. Now think of your CRM system with a marketing engine build on top.”
Next Story: Gowalla trims feature set, eliminates virtual items and notes from?check-ins 
Y Combinator‘s Demo Days this year featured a crush of innovation and excitement. After 63 startups presented to a room full of reporters, VCs and other influencers, we were all exhausted — none more than the belles of this particular ball, the founders themselves.
EnergyHub, a provider of energy efficiency products and associated software, announced today that it has raised $14.5 million in its second round of funding.
Streaming music provider Pandora posted a 117 percent increase in revenue for a record $67 million after its first quarter as a publicly traded company, Pandora Media Inc. reported Thursday.
There’s got to be more to location-based mobile games than checking in. That was the thinking behind the game startup Red Robot Labs and its first game, Life of Crime.
of the growing number of game developers who are targeting Google’s mobile operating system first before launching an iOS (iPhone, iPad, iPod Touch) app. Life of Crime uses what Red Robot believes is going to be its critical asset: the R2 Gaming Network platform for making location games.
Ex-Playdom veteran Ouye (pictured left) and Pete Hawley (pictured right), a veteran game developer at Electronic Arts and Sony, started the company earlier this year to focus on making games for hardcore gamers on Android mobile devices. They believe that’s an untapped market.
Starting today, Google is letting users search Google Maps and get directions with just their voices — no typing required.
Apple caused panic among app developers last week when it announced that it would phase out an identification system for users on its mobile devices such as the iPhone. Mobile gaming company OpenFeint says it will help solve the problem created by the elimination of this feature by offering its own “single sign-on” identification system for app developers.
Customer help desk management provider Zendesk today announced that it is opening a new office in Denmark and is teaming up with nearly a dozen startup incubators around the world to give its customer support software.
Music discovery company SoundHound has formed a partnership with streaming music service provider Spotify that will allow European SoundHound users to instantly access Spotify’s catalog of 15 million tracks, the company announced Thursday.
If being a professional football player wasn’t already a sweet enough deal, imagine being told by your coach that you’re getting a free iPad. Tampa Bay Buccaneers coach Raheem Morris has issued his entire team iPad 2 tablets to replace printed playbooks and to allow players to re-watch game videos, reports the St. Petersburg Times.
Internet search startup Diffbot launched its API today for visually scanning, parsing and extracting information from web pages. Diffbot detects what type of layout a page has, then searches it for common visual cues to monitor when any content changes on a page, or to extract specific information for developers to use.
Druva, a startup that protects data on enterprise laptops, said today it has raised $12 million in a second round of funding.