I don’t get why someone would want to spend the time creating a method of hacking something as important and life sustaining to some people as an insulin pump. To diabetics that rely on the insulin pump for their lives hacking it and changing the dose of insulin could kill them. At the Black Hat Security conference a man named Jay Radcliffe showed off this hack. He is a diabetic and depends on an insulin pump and a glucose monitor to live. Radcliffe says that he has reverse-engineered the proprietary wireless communication system between the glucose meter and the pump.
The hack he has devised would allow an attacker to manipulate the diabetic’s insulin injections and could possibly be used to kill the pump user. Radcliffe said that at first he thought it was cool for a tech standpoint and then since he uses an insulin pump he had an instance of “sheer terror” that there is no security on the devices.
An attacker according to Radcliffe could intercept wireless signals and broadcast a stronger signal to change the readout causing the person to adjust their dose. He also said that a person could do this from quite far away such as a few hundred feet away the attacker could do this from the same floor of a hospital or from the same airplane.
I want to ask you all something about this sort of research. Where do we draw the line? This could potentially kill someone. On the one hand, a researcher can justify publishing attacks like this under the guise of “at least people know this is out there now and it can be addressed.” At the same time this sort of research is undoubtedly giving some would be attacker’s new information they probably didn’t have before. Would it not make sense if all you want is to expose a vulnerability to simply do your work and then tell the company that makes the gear rather than make the attack public? I can’t help but think that most of this is nothing more than attention whoring rather than a desire to expose flaws in a system merely so they can be fixed.