My bionic parts.
As I probed the Associated Press, or AP, wire service at work last week, I ran across an article about hacking an insulin pump. Naturally, my curiosity was piqued. Shortly thereafter, several online friends shared the same article. And not long after my friends in the Diabetes Online Community, or DOC, began to chatter, my real-life, non-D friends began to share the article with me as well.
Here’s a link to the AP article prompted by fellow person with diabetes, or PWD, Jay Radcliffe. In short, Radcliffe was able to hack into his own insulin pump and control its insulin dosing through an outside remote. Essentially, he proved insulin pumps could be hacked, putting type 1 diabetics at risk. Radcliffe presented his findings (tested only on his own insulin pump of which he didn’t disclose the manufacturer) at the Black Hat conference in Las Vegas. (I understand that to be a hackers convention). He then contacted the AP regarding the information.
As a member of Diabetes Advocates, there has been much dialogue about Radcliffe’s findings, his method of releasing the information and many other thoughts on the matter. I have decided to share my thoughts on the article since so many have asked and so many have expressed concern. I’ll start with my own fears.
Yes, it bothers me greatly to know that the technology I use to keep me alive is able to be hacked into and adjusted by an outside force or person. It terrifies me to think about the possibilities there. In my daily job as a police reporter, I sometimes make enemies, so knowing I’m vulnerable doesn’t make me happy. But I’m not losing any sleep over this. You see, it doesn’t take much insulin for me to lower my blood sugar. So if I were hacked, I would be able to know something wasn’t right almost immediately. The same goes for a high blood sugar. If someone cut off my insulin supply, I would know within a short period of time. I’m going to correct a low as I always do, and I’m going to change out my pump site or take multiple daily injections until I correct the high. So as I see it, I’m not under a real threat. Diabetes is a tricky booger of a disease that I pay very close attention to, so I’m going to know within a few hours when something is amiss.
An example of a temporary basal rate.
As for the pump manufacturers and the FDA, I hope this story will prompt a more in-depth study to better secure the wireless capabilities that make my life easier to live. I hope it doesn’t result in the FDA taking even longer than it currently does to approve new technology (fingers crossed for the Animas Vibe, which Kerri blogged about here). I do hope this is something Animas, MedTronic and other pump manufacturers take seriously.
Both Animas and MedTronic released statements following the AP story on hacking.
As for Radcliffe, I’m glad to know there’s a PWD out there with enough smarts to find problems and address them. I am not, however, glad to know there’s a PWD who is putting others at an increased risk simply to garner personal attention and/or monetary gain. I have a difficult time believing Radcliffe was honest in this attempt or that he did it for the better good of others.
If he had truly been concerned, he could’ve taken his findings to the pump company or to the FDA rather than to present it at a public convention. There was no need to pitch the story to the AP, knowing the implications it would bring to the rest of our community. I now feel as though I’m yet another target in a world where I’m already climbing uphill. That, as a fellow type 1 diabetic, is overwhelmingly disappointing.
In the article, Radcliffe chose to keep his pump manufacturer (of which he hacked) secret. He claimed it was for his safety, but I have a difficult time swallowing that. Perhaps it was for liability reasons. Perhaps it was to ensure he continues to receive supplies from his company. Regardless, my BS meter is tipping the scales.
I have never met Radcliffe, and I would like to sometime in the future. I am impressed with his knowledge and expertise in this realm of technology, but I am not, by any means, impressed with his social networking or business skills. I hold nothing against him, and I think he has much to offer in the DOC, but I do urge him to truly consider other PWDs in future endeavors.
When considering media coverage of this information, many called it sensational. Personally, I don’t feel that way. Sure, there were definitely some sensational headlines, but as far as the story itself goes, I didn’t see it. The versions I read, all variations of the AP story, were fair. As a journalist, I feel quite certain saying this is something my editor would’ve chosen to cover. I agree media can sometimes go a bit overboard, but I don’t think this was one of the those times.
(And as the title may suggest, we (the DOC) have added a catchphrase).
My meter, which also serves as a wireless remote for my insulin pump.
As with the umbrella disclaimer on my website, these thoughts are solely my own and do not reflect those of my employer nor of any organization I am affiliated. While I both disagree and agree with other type 1s on this subject, I am forever grateful for their friendship, expertise, thoughts and dialogue on this subject.
Well, this is a tricky one for me. Device manufacturers limit our access to our own medical data and tightly control the way that we can interact with devices. It’s understandable given the limitations put on them by the FDA, their own desire to help (not harm) customers/patients, and their lawyers’ desire to limit risk exposure. It does mean, though, that there’s enormous potential for third-party, patient-focused tools that goes untapped.
Using the AP to share this information leaves a bad taste in my mouth, but presenting the findings at the Black Hat conference seems like the most appropriate way to publicly disclose this research. (And it is, in my mind, legitimate personal security research that should be shared openly.) I would have preferred that Radcliffe work more closely with the device manufacturers leading up to the announcement. (I’m assuming that he did not.)
On the other hand, just presenting the findings to the device manufacturers violates the hacker ethos, both the black hat and white hat versions. Part of hacking — the part that I can get down with — is when motivated hobbyists exploit technology to solve a problem (real or imagined). I have thought many times how great it would be to sniff the unprotected data that’s transmitted by pump/CGM and skip the middleman of uploading data to a web site. I’ve even gone so far as to seek out the information that Radcliffe presented, but it wasn’t available at the time.
I suspect (and once again I’m assuming here) that Radcliffe was intrigued by the rather obvious possibilities of unprotected communication, and that’s getting lost in the whole “malicious people ruining diabetics’ lives” reporting. I fear the notoriety this incident is garnering is going to scare manufacturers into closing exploitable security holes without providing a secure, replacement method for getting at all of that data. And that’s a shame.
Keep up the great reporting!
I agree Jeff. He went to the media first. That is bad form in the IT security field. I think he wanted the attention more than he wanted to help. Nice article Victoria.
thanks for sharing your thoughts from your perspective. i had to chuckle at your use of BS meter, with the image of you BG meter nearby, since BS and BG are sometimes interchangeable.