The next frontier of cybercrime could be the human body, a researcher at the Black Hat Security Conference demonstrated. In his presentation, "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System," Jay Radcliffe showed how a hacker could remotely hack two medical devices used to treat diabetes and trigger them to malfunction — with potentially disastrous results.
"Wireless communication with insulin pumps are not secure, they're not designed to be updated and there's no way of patching them," he told the audience. "It's not like a phone, where you can download a firmware update."
Radcliffe, a diabetic who wears an insulin pump controllable by a remote device, spent about four months developing a proof-of-concept hack on a continuous glucose meter (CGM), a wireless sensor inserted into human tissue that sends out a blood sugar reading every five minutes to a remote monitoring device.
After researching the insulin pump's specs, Radcliffe wrote a malicious script, loaded it onto a USB device that communicates via radio frequency — the specific one he used is available on eBay for about $20 — and rigged it to remotely turn off the pump. He then dismantled the glucose-monitoring sensor and found that the chip inside is the same one used in SCADA systems, automated computer networks that run industrial control systems .
Radcliffe said his hardware hacking highlights just how insecure modern, everyday devices are, even ones we rely on for our own health.
"There is always a threat lurking, we can't just ignore it and think that, 'Oh it's just an insulin pump, nobody's going to hack that.' That's what we said 15 years ago about the Web," Radcliffe said. "We need to look ahead of the curve. Just because it can't be done easily, doesn't mean it can't be done. There are way too many smart people out there."