Podcast: Jay Radcliffe on Medical Device Security
In this week’s podcast, Mocana’s Threat Center Director Jay Radcliffe discusses medical device security with host Robert Vamosi.
At last summer's Black Hat and Defcon security conferences, Radcliffe drew parallels with the SCADA industry when he gave a personal account of his experience of having Type 1 diabetes and how various devices he uses control his diabetes could be manipulated by “evil doers." The insulin pump replaces the actions of the liver (which secretes sugar) and the pancreas (which secretes insulin). Too much blood sugar can overtax the kidneys and too little blood sugar can shut the body down. Radcliffe related these bodily processes to industrial SCADA systems which also regulate pressure in gas and electric utilities—too much and the system blows, too little and the electrical or water system shuts down.
Radcliffe uses an insulin pump, a device costing about $6000, that is designed to work for years. Through tubes inserted into his body, the pump secretes a baseline insulin blast every 3 minutes or so and then sends more at mealtimes. Blood meters wirelessly send measurements to the pumps with a physical range of up to 100 feet.
What he found was his monitor had no verification of the remote signal. Worse, the pump broadcasts its unique ID so he was able to send the device a command that put it into SUSPEND mode (a DoS attack). That meant Radcliffe could overwrite the device configurations to inject more insulin. With insulin, you cannot remove it from the body (unless he drinks a sugary food). The same overwrite of commands would also be possible with pacemakers as well. Additionally, there is potential for interference: recently, a teenager's insulin pump failed after passing through one of TSA's body scanners at a Utah airport.
You can listen to the podcast here.