Insulin Pumps Proven Susceptible to Hacking

Dennis Faas's picture

An exhibitor at this year's Black Hat Security Conference in Las Vegas is warning the public of flaws that could allow an attacker to remotely control insulin pumps and alter the information stored on blood-sugar monitors.

Jay Radcliffe experimented on his own insulin equipment to establish his findings.

The results send out a reminder to the tech world that medical devices synchronized with computer innovations could potentially be life-threatening if left in the wrong hands. In the past, severe attacks have been levied against pacemakers and defibrillators (though these were demonstrated in theory at computer security conferences, with no real danger to the public).

In recent years, operating room monitors and surgical tools (including deep-brain stimulators) have been engineered with the ability to transmit health information from the body of a patient to doctors and other professionals. Some of these devices can even be remotely controlled by medical teams. (Source:

Hi Tech Device Prone to Attack

As Radcliffe discovered, however, problems rest in the size of these instruments. The devices are typically too small to store processors that are powerful enough to perform the necessary encryption to scramble their communications. As a result, these devices are prone to attack.

When performing his research, Radcliffe found that his insulin pump (which works in conjunction with a special remote control to administer the insulin) can be reprogrammed to respond to a third-party remote control.

All that an attacker would need is a special USB device that can be purchased through a medical supply company or on eBay. Incorrect readings would result in the administration of too much (or too little) insulin, the hormone needed to maintain proper metabolism for a diabetic individual. (Source:

Manufacturers Downplay Severity of the Situation

When approached for comment, medical device makers downplayed the severity of the situation, stating that the attacks would require the malicious workings of skilled security researchers and are unlikely to occur in the real world.

Still, Radcliffe offered a valid rebuttal in response to the lackadaisical comments made by the medical device makers: "It would only take one person to do this [hack an insulin pump or blood-sugar monitor] to kill someone and then you have a catastrophe."

Rate this article: 
No votes yet