Hospital patients could die as a result of lethal attacks by hackers, a researcher told the Black Hat security conference in Las Vegas yesterday, as he revealed that medical equipment including insulin pumps, pacemakers and implanted defibrillators was at risk from wireless meddling.
Jerome Radcliffe, himself a diabetic, told attendees how he had managed to hack into his wireless insulin pump, after intercepting signals that enabled him to change code sent to the device.
Radcliffe says he could reduce or increase the insulin dose to potentially fatal levels without the device issuing any warning, and without any evidence of tampering becoming apparent. Such interference could, in theory, enable hackers to kill patients without any signs of foul play being detected.
"I can get full remote control," Radcliffe told the Black Hat gathering. "If I were an evil hacker, I could issue commands to give insulin, without anyone else's authority. This is scary. And I can manipulate the data so it happens in a stealth way."
Wireless medical devices such as these, it turns out, are not designed with security in mind - presumably because their makers assume that no one would try to interfere with such devices remotely.
Similar wireless control systems are used in a range of medical devices. A study (PDF) published three years ago revealed a similar vulnerability in wireless pacemakers.
Fortunately, no hacker has yet revealed the exact process required to interfere with any of these appliances - but Radcliffe's revelation heightens fears that potentially murderous attacks could be carried out undetected from a hospital car park.
Built-in encryption would protect patients from this type of 'drive-by' attack - but the additional circuitry required could take its toll on the battery life of devices which need to remain in place for months or years. Another safety measure would be to include sensors in the hardware that raise an alarm when potentially dangerous changes are made to its settings.