Medical device hacking – FDA are told to start taking it seriously

The US Government Accountability Office (GAO), prodded by Congress, has put out a new report [PDF] recommending that the US Food and Drug Administration (FDA) start thinking about how to secure insulin pumps and implantable cardioverter defibrillators from being vulnerable from targeted attacks.

As the report states, researchers have recently demonstrated the potential for incidents resulting from intentional threats in the two devices.

One example is the work done by McAfee’s Barnaby Jack who, in October 2011, succeeded in overriding an insulin pump’s radio control and its vibrating alert safety feature.

Cartridges in such pumps hold up to 300 units of insulin (capacity varies by manufacturer).

That’s enough to last a typical diabetic one to two weeks (dosing varies depending on diet, subject weight, and insulin sensitivity), but Jack managed to dump an entire cartridge in one go.

That’s a potentially lethal dose that can be delivered without the diabetic knowing about it, given that Jack managed to disable the alarm.

Jack’s attack works on most late-model Medtronic insulin pumps, which have tiny radio transmitters that let patients and doctors adjust functions.

Earlier research managed to compromise pumps when the attacker was within a few feet of the diabetic and knew the pump’s serial number.

Jack subsequently developed an attack kit consisting of software and a special antenna that allows attackers to locate and seize control of any pump device within 300 feet, even without knowing the serial number.

During 2001 and 2006, the FDA focused on unintentional threats introduced via, for example, software testing, access control and contingency planning.

The FDA has until now has not looked into intentional harm carried out resulting from risk management, patch and vulnerability management, technical audit and accountability, or security incident response activities.

According to the GAO report, the concept of people tinkering with this stuff on purpose has been deemed just too darn Dr. Evil for the FDA to bother with:

According to FDA, it did not consider information security risks from intentional threats as a realistic possibility until recently.

No security incidents have to date been the result of intentional action, but the input of researchers has the FDA convinced that as devices grow more sophisticated, the risks are worth taking into account.

The GAO outlined risk vectors and potential outcomes, including:

• Limited battery capacity: Can hinder the power-sucking security features, making the devices susceptible to an attack that would drain the battery and render the device inoperable.
• Remote access: Could be exploited by a malicious actor.
• Continuous use of wireless communication: Could create a point of entry for unauthorized users to modify the device, especially if continuously enabled.
• Unencrypted data transfer: Can be manipulated. For example, an attacker could modify data that is not securely transmitted and alter information used in administering therapy (such as insulin dosing).
• Susceptibility to electromagnetic (e.g., cellular) or other types of unintentional interference.
• Limited or nonexistent authentication process (such as requiring a password) and authorization procedures: Could leave medical devices susceptible to unauthorized activities, such as changes to the devices’ settings.
• Disabling of warning mechanisms: If these mechanisms were disabled, a patient would not be alerted if unauthorized modifications were made to the device, such as that McAfee’s Jack demonstrated with the Medtronic insulin pump.
• Design based on older technologies: Such devices might not have been designed with security as a key consideration.
• Inability to update or install security patches: which, in certain medical devices, could prevent identified software defects from being addressed.

It’s time for the FDA to start taking these security risks seriously, the GAO says. To get there, the GAO put out four general recommendations as a bare minimum for the agency to adopt:

* Increase its focus on manufacturers’ identification of potential unintentional and intentional threats, vulnerabilities, the resulting information security risks, and strategies to mitigate these risks during its PMA review process;

* Utilize available resources, including those from other entities, such as other federal agencies;

* Leverage its postmarket efforts to identify and investigate information security problems; and

* Establish specific milestones for completing this review and implementing these changes.

This sounds like general advice, but it’s a far cry better than ignoring the possibility for malicious actors to take advantage of medical device vulnerabilities.

In a perfect world, nobody would ever exploit those vulnerabilities.

In a perfect world, nobody would ever have tampered with Tylenol packaging.

As an insulin pump wearer, I applaud the GAO for paying attention.

And let’s hope that malicious attacks against medical devices remain in the realm of the theoretical.

If you want to read more about research into security and insulin pumps, check out fellow Naked Security writer Chester Wisniewski’s thoughts on Jay Radcliffe’s research on hacking medical devices, presented at BlackHat 2011.

_{Insulin pump, medical cross and human body images courtesy of Shutterstock}