This website uses cookies to improve your experience and deliver relevant information.

on Saturday, 27 August 2011

When hacking can mean a matter of life and death, and the dev's don't want to know ...

In an article recently published on The Register, a diabetic researcher reveals that he identified a vulnerability in the software used to control the flow of life-saving insulin pumps, which would allow a hacker to gain wireless access and increase, decrease or stop the flow of insulin.  He had contacted the company producing the pump - Medtronic - numerous times to report the vulnerability, and was ignored.

Modern medical technology is just incredible - if you ever have the misfortune of having any kind of medical procedure nowdays, the chances are we tend to take for granted how all the bits and bobs work.  Not so long ago, insulin dependant diabetics had to regularly check their blood sugar levels and inject the correct amount of insulin to maintain a stable blood sugar level - both inconvenient, difficult, and almost impossible in young, uncooperative children!

Recent advances in technology have developed pumps which can deliver the correct amount of insulin regularly, without intervention from the user - liberating thousands worldwide from the daily routine of tests and injections.

When a geeky-user of these pumps noticed there was a wireless vulnerability in his pump, he immediately got in touch with the manufacturers to alert them to the problem he had discovered, which could be fatal if it was exploited, as it allows a hacker to change or stop the flow of insulin which the diabetic is dependant upon.  Jay Radcliffe found his communications ignored, and in a statement released by Medtronic after he presented at the Black Hat Security Conference, they claimed that the vulnerability could be avoided by 'switching off the wireless function' - however the vulnerability that he discovered can't actually be switched off!

Radcliffe repeatedly refused to name the model or company involved during his presentation, hoping that they would allow him to brief them privately on the issues, and after the Department of Homeland Security came across his findings, they put him in touch with an employee at Medtronic, who also did not return phone calls or reply to emails.

Ironically, Medtronic were quoted as saying:

"To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide."

So, apprently that means that because nobody has exploited it in the wild yet, they won't be doing anything about it?  Radcliffe has since switched his insulin pump provider - and so would I!

While I understand that this kind of vulnerability is not really something that the everyday hacker is likely to think about making use of (but I wouldn't put it past governments to be taking notes of this vulnerability!) if there is a vulnerability in your code which could be potentially life-treatening then you have a duty to fix that vulnerability, not just suggest that a feature of the device is turned off, which doesn't even fix the problem!

The fact that the messages from this user were not even acknowledge with a 'thanks, we'll look into it' show extremely poor practice from the company, in my humble opinion.  I wonder if the software is open source?! :)


Virya Group provides a range of solutions to your technology needs