August 26, 2011, 2:33 PM — The most unexpected and inherently creepy hacking demonstration at this year's Black Hat conference was one from IBM security researcher Jay Radcliffe, who demonstrated how he was able to hack the wireless data connection on his insulin pump to take over and control it from as far as half a mile away.
He was able to increase or decrease his own dose to levels that would have been fatal, without any significant resistance from the pump, which lacked even the ability to identify whether commands were coming from a legitimate source.
Radcliffe didn't name the manufacturer in his Aug. 4 talk. He changed that during a press conference he called yesterday out of, he said, frustration at being stonewalled or ignored in three weeks worth of attempts to get Medtronic to talk about the huge security flaw and even huger potential legal liability Radcliffe found in its insulin pumps.
Medtronic CEO Omar Ishrak told eWEEK he takes the issue "very seriously," but that the hack is possible only in "controlled settings."
A PR statement from the company said it had never seen any incident like the one Radcliffe demonstrated, despite selling millions of insulin pumps and related equipment to tens of thousands of patients.
That kind of cautious response might be understandable if Medtronic had never seen another implantable medical device hacked or remote-controlled, but it has.
Medtronic pacemakers can be hacked, too
In 2008 doctors from Harvard, Univ. Massachusetts at Amherst and the University of Washington published a paper describing all the technical details of how they were able to hack and remotely control implantable cardiac defibrillators (PDF) – pacemakers that keep a patient's heart beating regularly.
Medtronic said at the time of the report it had never seen an incident in which a pacemaker had been hacked. It stuck with that position.
More than 2..6 million pacemakers had been implanted in patients in the U.S. by that time, many with wireless networking functions that allowed doctors to check on the health of both the patient and the device without cutting either one open.