Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Hacking the Human Body SCADA System

Hacking Medical Devices

Hacking Medical Devices

Drawing parallels with the SCADA industry, researcher Jay Radcliffe gave a personal account of his experience of having Type 1 diabetes and how various devices he uses control his diabetes could be manipulated by “evil doers” at this week’s Black Hat USA and DefCon security conferences in Las Vegas. The insulin pump replaces the actions of the liver (which secretes sugar) and the pancreas (which secretes insulin). Too much blood sugar can overtax the kidneys and too little blood sugar can shut the body down. Radcliffe related these bodily processes to industrial SCADA systems which also regulate pressure in gas and electric utilities—too much and the system blows, too little and the electrical or water system shuts down.

Continuous Glucose Meters (CGM) use a tiny wire stuck into the skin tissue to measure sugar levels through the conductivity of fluids in the body. The CGM transmits every 5 minutes with a pager device which is worn on belt or in a pocket. It needs calibration every 24 hours and the FDA requires CGMs to be replaced every 7 days, although he has known diabetics who have worn them for up to 14 days.

To learn more about this particular device (which he declined to name), Radcliffe consulted the FCC which requires the disclosure of all technical details, such as frequency, bandwidth of every device sold in the US. His particular device happened to broadcast over HAM radio channels; Radcliffe is a licensed HAM radio operator. Researching the patent information yielded more technical detail such as the chip used in his insulin pump also happens to be used in SCADA systems.

On-Off Keying (OOK) is a simple RF modulation that equates a 1 with a signal and a 0 with the absence of a signal to reveal code sequences. Radcliffe says he wasn’t able to decode the CGM beacon, however he was able to record and play back what’s called a replay attack. By playing back the same signal over time, he managed to flat line his monitor and created a denial of service (DoS) attack on himself. Radcliffe commented that many SCADA systems also use OOK broadcasting in the sub 1ghz range.

Today Radcliffe uses an insulin pump, a more expensive device, about $6000, and is designed to automatically pump insulin and also work for years. Through tubes inserted into his body, the pump secretes a baseline insulin blast every 3 minutes or so and then sends more at mealtimes. Blood meters wirelessly send his blood suger measurements to the pumps.

What he found with this more expensive monitor was that it had no verification of the remote signal, which could be up to 100 feet away. Further, the pump broadcasts its unique ID so he was able to send the device a command set that put the pump into SUSPEND mode (aka, a DoS attack). Worse, however, was that could overwrite the device to inject more insulin into his body. With insulin, you cannot remove it from the body (unless you compensate with a sugary food).

What concerns Radcliffe is the artificial pancreas project that the Juvenile Diabetes Research Foundation is planning to combine the CGM and the Insulin Pump. It could inject insulin without the user’s involvement. The new device is said to use 2.4ghz Bluetooth technology, and Radcliffe points out that Bluetooth attacks have been well known for years. Without proper authentication in place, the patient could be subject to a variety of hacking attempts.

To mitigate this, he says manufacturers need to turn on the crypto that’s available in Bluetooth. Radcliffe also suggests using infrared vs radio frequency, since he could tape over the IR to prevent unwanted access to his device.

Advertisement. Scroll to continue reading.

In the meantime, Radcliffe suggested use of RF necklaces that block hostile RF commands. These are used now to protect RF-enabled pacemaker patients for unwanted RF signals. During the Black Hat Radcliffe said he was contacted by two medical device vendors (neither were the vendor he uses) who also use SSL to communicate with their devices, another good practice.

Radcliffe plans to contact his personal vendor after Black Hat and DefCon but said he hopes the media coverage of medical device hacking in general helps protect all devices. The time and money the vendors invest in proprietary chips means vulnerability in one device could extend to other devices, such as pacemakers, etc. But without an ability to update firmware, the vendor is often left to replace the device, which, in Radcliffe’s case is a very expensive process. On the other hand, the alternative is not very good alternative either.

Related Reading: Attacks on Mobile and Embedded Systems: Current Trends

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.