To Hack, or not to Hack, that is the Question
Hacking could improve medical device quality and security, but in the face of jail-time, trying isn’t so appealing.
The word “hackers” makes us think of identity thieves and friends posting embarrassing statuses on one another’s Facebook (or a really bad movie with Angelina Jolie).
But the hacking community could also save lives.
Medical device software has seen its share of shortcomings, and hackers can expose flaws more easily than you’d expect. Computer World’s "FDA asks hackers to expose holes in medical devices, but many researchers fear CFAA & jail" explores the turmoil of those trying to help in an unconventional way.
Jay Radcliffe, in the Kitchen, with the Radio Transmitter.
Jay Radcliffe is a network security expert who uses an insulin pump. He hacked his simply—using a $20 radio frequency transmitter.
He intercepted wireless signals, broadcasted to a stronger signal, and reverse-engineered wireless commands to make the blood-sugar readout show a false number. This could make a user change dosage accordingly. With a strong enough antenna, this can be done from half a mile away, and could be deadly if done repeatedly. Per Radcliffe:
"My initial reaction was that this was really cool from a technical perspective. The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."
He reported his findings at the Black Hat security conference in 2011. Instead of receiving praise, angry parents contacted him, terrified that he had given murderers the perfect plot. Diabetic patients were concerned that this would hinder approval for more secure pumps.
Radcliffe contacted the manufacturer, Medtronic, but they ignored him. Medtronic reports someone is attending to his claims, that the company is adding security features in future pumps, but holds the risk of attack is “extremely low.”
Barnaby Jack, in the Study, with the Laptop.
Renowned hacker Barnaby Jack took Radcliffe’s experiment further. Jack:
"...discovered a way to scan a public space from up to 300 feet away, find vulnerable pumps made by Minneapolis-based Medtronic Inc., and force them to dispense fatal insulin doses. Jack doesn't need to be close to the victim or do any kind of extra surveillance to acquire the serial number, as Radcliffe did."
He also learned to take over pacemakers. Jack could remotely attack the device from as little as 30 feet away, delivering an 830-volt shock using only his laptop. He cited a flaw in the programming.
Each case could cause paranoia and death. Jack’s hope was to raise awareness, so companies would beef up security, noting “…there are well over 3 million pacemakers and over 1.7 million ICD's in use.”
The Feds, in the Parlor, with the Rule Book.
The government’s involved, and seeing mixed results. In response to Radcliffe’s findings, Representatives Anna Eshoo (CA) and Edward Markey (MA) asked the Government Accountability Office to investigate the FCC’s approach to wireless medical device security, hoping to shed light onto the situation.
Many in the hacker community want to help, but the Computer Fraud and Abuse Act stands in their way. It’s older, vague, and doesn’t account for this scenario, proving disastrous for developers and hackers; researchers limit or scrap projects altogether, and hackers avoid seeking solutions or presenting results.
“It's extremely dangerous legally now to test the security of any sort of service,” security researcher Charlie Miller told SC Magazine. “There's always a threat you'll get sued, but it's a whole 'nother story that you may end up in jail."
The FDA to the Rescue?
They’re asking security researchers to disclose vulnerabilities. This again speaks to the issue of legality and consequences. But it’s a step in the right direction.
Finally, the FDA is using their might to incite dialogue. After ignoring Radcliffe’s proof, they forced “a high-level discussion” with Animas Corp. (who produced a faulty pump), but the company “disagrees strongly with the severity of the issue he uncovered and doesn't think the device needs to be fixed.”
Stopping the Insanity.
There are clearly fatal flaws in medical device applications, focusing on three main issues.
To fix a problem, you must confront it. But it seems companies are doing the opposite. Radcliffe didn’t mention Medtronic in his Black Hat presentation. The footage from Jack’s video wasn’t released, because the manufacturer would be disclosed.
Companies don’t want to be embarrassed, or lose customers. But fear of failure doesn’t permit them to put customers’ lives second.
Changing the System.
In this case, hackers promote safety and excellence. But they don’t want to end up the next Andrew “Weev” Aurenheimer. Something has to give. As Shane McDougall from Tactical Intelligence puts it, “I really can't express how monumentally bad the decision by the FBI to go after Weev was.” He added that the FBI has "really done American consumers a disservice.”
Federal agencies are responsible for ensuring consumer safety, but laws and ideas must change with times and technologies.
Hire those who can Teach You.
Maybe the final lesson is, “If you can’t beat them, join them.” Instead of ignoring intelligent, concerned people, companies would do well to learn from mistakes, even hire or consult them. This would ensure a better, safer product. It could also mean good press and an improved reputation, especially if the company has suffered from this issue.
Medical app safety is no joke. Exploring all options, taking advice from those who can help, fixing legislature, and putting customers before pride will help ensure consumer security.
Send us a message. We'd love to hear from you.
60 Leo M Birmingham Parkway
Boston, MA 02135