Drawing parallels with the SCADA industry, researcher Jay Radcliffe gave a personal account of his experience of having Type 1 diabetes and how various devices he uses control his diabetes could be manipulated by "evil doers" at this week's Black Hat USA and DefCon security conferences in Las Vegas. The insulin pump replaces the actions of the liver (which secretes sugar) and the pancreas (which secretes insulin). Too much blood sugar can overtax the kidneys and too little blood sugar can shut the body down. Radcliffe related these bodily processes to industrial SCADA systems which also regulate pressure in gas and electric utilities—too much and the system blows, too little and the electrical or water system shuts down.
Continuous Glucose Meters (CGM) use a tiny wire stuck into the skin tissue to measure sugar levels through the conductivity of fluids in the body. The CGM transmits every 5 minutes with a pager device which is worn on belt or in a pocket. It needs calibration every 24 hours and the FDA requires CGMs to be replaced every 7 days, although he has known diabetics who have worn them for up to 14 days.
To learn more about this particular device (which he declined to name), Radcliffe consulted the FCC which requires the disclosure of all technical details, such as frequency, bandwidth of every device sold in the US. His particular device happened to broadcast over HAM radio channels; Radcliffe is a licensed HAM radio operator. Researching the patent information yielded more technical detail such as the chip used in his insulin pump also happens to be used in SCADA systems.
On-Off Keying (OOK) is a simple RF modulation that equates a 1 with a signal and a 0 with the absence of a signal to reveal code sequences. Radcliffe says he wasn't able to decode the CGM beacon, however he was able to record and play back what's called a replay attack. By playing back the same signal over time, he managed to flat line his monitor and created a denial of service (DoS) attack on himself. Radcliffe commented that many SCADA systems also use OOK broadcasting in the sub 1ghz range.
Today Radcliffe uses an insulin pump, a more expensive device, about $6000, and is designed to automatically pump insulin and also work for years. Through tubes inserted into his body, the pump secretes a baseline insulin blast every 3 minutes or so and then sends more at mealtimes. Blood meters wirelessly send his blood suger measurements to the pumps.
What he found with this more expensive monitor was that it had no verification of the remote signal, which could be up to 100 feet away. Further, the pump broadcasts its unique ID so he was able to send the device a command set that put the pump into SUSPEND mode (aka, a DoS attack). Worse, however, was that could overwrite the device to inject more insulin into his body. With insulin, you cannot remove it from the body (unless you compensate with a sugary food).
What concerns Radcliffe is the artificial pancreas project that the Juvenile Diabetes Research Foundation is planning to combine the CGM and the Insulin Pump. It could inject insulin without the user's involvement. The new device is said to use 2.4ghz Bluetooth technology, and Radcliffe points out that Bluetooth attacks have been well known for years. Without proper authentication in place, the patient could be subject to a variety of hacking attempts.
To mitigate this, he says manufacturers need to turn on the crypto that's available in Bluetooth. Radcliffe also suggests using infrared vs radio frequency, since he could tape over the IR to prevent unwanted access to his device.
In the meantime, Radcliffe suggested use of RF necklaces that block hostile RF commands. These are used now to protect RF-enabled pacemaker patients for unwanted RF signals. During the Black Hat Radcliffe said he was contacted by two medical device vendors (neither were the vendor he uses) who also use SSL to communicate with their devices, another good practice.
Radcliffe plans to contact his personal vendor after Black Hat and DefCon but said he hopes the media coverage of medical device hacking in general helps protect all devices. The time and money the vendors invest in proprietary chips means vulnerability in one device could extend to other devices, such as pacemakers, etc. But without an ability to update firmware, the vendor is often left to replace the device, which, in Radcliffe's case is a very expensive process. On the other hand, the alternative is not very good alternative either.
Related Reading: Attacks on Mobile and Embedded Systems: Current Trends