[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Insulin Pump Hack Controversy Grows
From: InfoSec News <alerts () infosecnews ! org>
Date: 2011-08-29 9:27:47
Message-ID: alpine.DEB.2.02.1108290427320.25488 () infosecnews ! org
[Download RAW message or body]
http://www.informationweek.com/news/security/vulnerabilities/231600265
By Mathew J. Schwartz
InformationWeek
August 26, 2011
At least four models of insulin pumps sold by Medtronic are vulnerable
to being wirelessly hacked. In particular, an attacker could remotely
disable the pumps or manipulate every setting, including the insulin
dosage that's automatically delivered--every three minutes--to the user.
That was the report given by security researcher Jerome Radcliffe at a
press conference on Thursday. Radcliffe, himself a diabetic,
demonstrated the pump vulnerability earlier this month at the Black Hat
conference in Las Vegas, by remotely disabling his own insulin pump live
on stage. Executing the attack required less than 60 seconds, and would
work from up to 100 feet away using Radcliffe's demonstration setup. But
with some modifications, he said, an attack could be made to work from
up to half a mile away.
At the time, Radcliffe declined to name the manufacturer or model of his
pump, and obscured everything but the pump's LCD panel when
demonstrating the attack. Following ethical disclosure guidelines,
Radcliffe said he wanted to give the vendor time to address the flaws,
which he exploited using a radio frequency transmitter and 10 lines of
Perl code.
On Thursday, however, Radcliffe named names, saying that the vulnerable
pumps are the Medtronic Paradigm 512, 522, 712, and 722. Radcliffe said
that he'd been dismayed by the lack of "honest public discourse" on the
part of Medtronic, which is the number-one seller of insulin pumps in
the United States. For the first time, he also disclosed that the radio
frequency transmitter that he'd used in the exploit was the Medtronic
Minimed Comlink (model number MMT-7304NA) that shipped with his insulin
pump, and which is available new, via eBay, for $20. Finally, Radcliffe
said his attempts at helping Medtronic quickly identify the underlying
issues, so that it could explore a fix, had failed due to its ignoring,
obfuscating, or outright lying--in its press releases--about the
vulnerability.
[...]
_____________________________________________________________
Register now for the #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic