I am diabetic and am considering getting a pump. I am also a security software engineer and knowing that the pump manufacturer wasn’t paranoid enough to secure the communication channel between the pump and an attacker is a reason why I will wait before getting a pump.

Assuming for whatever reason, they’re going to go in anyhow, what they do after they’re in defines a wide difference of right and wrong (or less-wrong and more-wrong, if you’d prefer to argue that).

Being a medical worker I have often wondered about the havok some one could cause with our many wireless systems. Hacking Insulin pumps would be bad but imaging this. What if terrorists rolled up to a major medical facility and started disrupting IV pumps? You could literally kill thousands of folks in minutes in a silent fashion and we woulden’t know wtf was happening until it was to late.

Choice A: You tell the public: telling the public notifies all of the following parties: law enforcement, consumers, manufacturers, and criminals. Criminals are now dissuaded from committing the crime because law enforcement and the public have been made aware of the issue. It’s easier to get caught and prosecuted when people know exactly how you committed the crime. The public now knows and can put economic pressure on manufacturers to change the security issue. The manufacturer now knows and can begin making changes with the oversight of the public and law enforcement. Consumers know and can self select the device or method that makes them most comfortable.

Choice B: You sell the information on the black market: hacker makes a crapload of money (far more than could be made at a conference gig), and risks being caught and treated as an accessory to murder. The consumer dies of an insulin attack. The criminal has no reason not to commit this crime again, because his method is still undiscoverable. Law enforcement – too understaffed and frankly technologically defunct to figure out what happened – stays baffled about why people are dying.

Choice C: You tell the manufacturer in private: that’s great. Now the only thing ensuring that the manufacturer will actually do anything is the threat that you’ll go back to Choice A. Why bother? Skip this and go straight to what’s effective! Furthermore, if a nefarious company discovers that you are the sole owner of damaging product information, what’s to keep them from retaliating against you before you make the information public. Choice C also frees the hacker up to still do Choice B, right? Why not play both sides, it’s not like the public knows? 

Choice A: You tell the public: telling the public notifies all of the following parties: law enforcement, consumers, manufacturers, and criminals. Criminals are now dissuaded from committing the crime because law enforcement and the public have been made aware of the issue. It’s easier to get caught and prosecuted when people know exactly how you committed the crime. The public now knows and can put economic pressure on manufacturers to change the security issue. The manufacturer now knows and can begin making changes with the oversight of the public and law enforcement. Consumers know and can self select the device or method that makes them most comfortable.

Choice B: You sell the information on the black market: hacker makes a crapload of money (far more than could be made at a conference gig), and risks being caught and treated as an accessory to murder. The consumer dies of an insulin attack. The criminal has no reason not to commit this crime again, because his method is still undiscoverable. Law enforcement – too understaffed and frankly technologically defunct to figure out what happened – stays baffled about why people are dying.

Choice C: You tell the manufacturer in private: that’s great. Now the only thing ensuring that the manufacturer will actually do anything is the threat that you’ll go back to Choice A. Why bother? Skip this and go straight to what’s effective! Furthermore, if a nefarious company discovers that you are the sole owner of damaging product information, what’s to keep them from retaliating against you before you make the information public. Choice C also frees the hacker up to still do Choice B, right? Why not play both sides, it’s not like the public knows? 

We adjust out insulin to avoid medical complications… rarely do people today wait three days to adjust their insulin based on high blood sugar. Ergo… this may be life threatening.

We adjust out insulin to avoid medical complications… rarely do people today wait three days to adjust their insulin based on high blood sugar. Ergo… this may be life threatening.

I think it is funny/sad that people are outraged by something like this. If you had your way what would you do? Make a law against hacking insulin devices?

In my view this is a cool hack. I applaud the person who came up with it. It was probably a difficult feat. I think it shows that he did not intend ill by it because he is in fact a person who needs a pump like this.

As far as crossing a line. Noone is crossing any lines here. If he killed someone with an insulin pump, I would say that would be crossing the line.

I think most of this article “is nothing more than attention whoring” and you really don’t care at all about this subject other than to get attention yourself, and to be honest that’s why I wrote this post as well. At least I’m honest. :D

Let’s be perfectly honest here.  Hacking has never been about ethics.  Never.

Hacking any computer based technology is the same as running up to my house and smashing the windows.  Then running around excitedly saying look at the security hole.  Followed by a long tirade about how I shouldn’t have windows at all on my house, how I should have armed guards around the perimeter, radar, sound detectors…and don’t forget about the inside threat, so I should be monitoring my kids at all times and performing periodic reviews to make sure they are obeying all security rules 24×7.

Hackers are not heroes for pointing out that I have windows on my house that can be broken into.  Ethical hacker is nothing more than an oxymoron.

Very wise Joe.

Very wise Joe.

Also, you can call them faggots and whatever you want, but these people make your internet work, give you awesome apps online, etc. 

Don’t hate the power they wield, hate those that abuse it. (Better yet, help them is stopping people from abusing it!)

For people to attack this kid is nothing more than a scene from Invasion of the Body Snatchers when someone has been identified and then everyone begins chasing them and lobbing hatred at them.

Most recently there was an article on pacemakers being susceptible to hacks:  http://www.wired.com/gadgetlab/2008/03/scientists-demo/

The next thing I’m waiting to see is where someone divulges how to hack a robotic appendage (arm, leg, etc.).

Folks, it’s a reality and calling someone “attention whoring” or a “faggot” is not going to change the fact that this is an extreme vulnerability and it needs attention now!