NEW YORK (TheStreet) -- Hacking may be a major threat to corporate data, bank accounts, and even the U.S. power grid, but what about the chilling prospect of hackers attacking a medical device and killing someone?
Sound far fetched? Well, fact is stranger than fiction. Security researcher and diabetic Jerome Radcliffe caused a stir at a recent Black Hat conference when he described an attempt to hack his own wirelessly-connected medical equipment. Radcliffe discovered flaws that could potentially give a hacker control of his insulin pump, according to The Associated Press.
"It's a very scary thought," said security expert Chris Hadnagy, author of Social Engineering: The Art of Human Hacking, warning that a pump injecting the wrong amounts of insulin could put someone into a diabetic coma. "I am sure that there are some really sick people out there that would do this because they can."
While Hadnagy believes that a twisted hacker eager for infamy could go after these pumps, he also sees the potential for targeted attacks. "Let's imagine someone in power or someone famous is using one of these insulin pumps -- what if someone has a vendetta against them?"
A small device roughly the size of a cell phone, insulin pumps are used by some diabetics to continuously inject insulin and keep their blood glucose at the correct levels. The pumps, which remove the need for multiple manual insulin injections, are connected to the body via a tiny tube that is thinner than a strand of spaghetti, and can be adjusted via a special remote control. At meal times, for example, the diabetic can program the pump to inject whatever amount of insulin is needed.
Radcliffe's demo, however, raised the specter of an attacker gaining control of the pump via another remote control. The researcher used a USB radio device connected to a computer to "eavesdrop" on data being sent from the computer to the pump, according to The Associated Press. This data could then be used to program another remote control to send commands to the pump.
Although Radcliffe did not initially name his insulin pump manufacturer, he went public with this information last week, accusing device maker Medtronic (Stock Quote: MDT) of not taking his findings seriously. Radcliffe, who didn't respond to repeated requests by TheStreet for comments on this story, cited a lack of wireless encryption, passwords and authentication, according to eWeek, noting that the pump will accept commands from any source and execute them.