[ISN] Insulin Pump Hack Controversy Grows

From: InfoSec News <alerts_at_private>
Date: Mon, 29 Aug 2011 04:27:47 -0500 (CDT)
http://www.informationweek.com/news/security/vulnerabilities/231600265

By Mathew J. Schwartz
InformationWeek
August 26, 2011

At least four models of insulin pumps sold by Medtronic are vulnerable 
to being wirelessly hacked. In particular, an attacker could remotely 
disable the pumps or manipulate every setting, including the insulin 
dosage that's automatically delivered--every three minutes--to the user.

That was the report given by security researcher Jerome Radcliffe at a 
press conference on Thursday. Radcliffe, himself a diabetic, 
demonstrated the pump vulnerability earlier this month at the Black Hat 
conference in Las Vegas, by remotely disabling his own insulin pump live 
on stage. Executing the attack required less than 60 seconds, and would 
work from up to 100 feet away using Radcliffe's demonstration setup. But 
with some modifications, he said, an attack could be made to work from 
up to half a mile away.

At the time, Radcliffe declined to name the manufacturer or model of his 
pump, and obscured everything but the pump's LCD panel when 
demonstrating the attack. Following ethical disclosure guidelines, 
Radcliffe said he wanted to give the vendor time to address the flaws, 
which he exploited using a radio frequency transmitter and 10 lines of 
Perl code.

On Thursday, however, Radcliffe named names, saying that the vulnerable 
pumps are the Medtronic Paradigm 512, 522, 712, and 722. Radcliffe said 
that he'd been dismayed by the lack of "honest public discourse" on the 
part of Medtronic, which is the number-one seller of insulin pumps in 
the United States. For the first time, he also disclosed that the radio 
frequency transmitter that he'd used in the exploit was the Medtronic 
Minimed Comlink (model number MMT-7304NA) that shipped with his insulin 
pump, and which is available new, via eBay, for $20. Finally, Radcliffe 
said his attempts at helping Medtronic quickly identify the underlying 
issues, so that it could explore a fix, had failed due to its ignoring, 
obfuscating, or outright lying--in its press releases--about the 
vulnerability.

[...]


_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/
Received on Mon Aug 29 2011 - 02:27:47 PDT

This archive was generated by hypermail 2.2.0 : Mon Aug 29 2011 - 02:31:20 PDT