
J&J warns diabetic patients – Insulin pump vulnerable to hacking - uptown
http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L
======
patcheudor
This really doesn't sit well with me on multiple fronts:

"Company technicians were able to replicate Radcliffe's findings, confirming
that a hacker could order the pump to dose insulin from a distance of up to 25
feet, Levy said. He said such attacks are difficult to pull off because they
require specialized technical expertise and sophisticated equipment."

Specialized technical expertise and sophisticated equipment? Based on what I
just read from the product manual, this attack appears to be capable of being
done with two HackRF's since none of the frequencies used by this device
exceeds 2.4 Ghz. Is a HackRF really as "specialized" as what is being implied
by the manufacturer? Further, I get it, I've used GNU Radio. It's not easy,
but it's also not terribly difficult to pickup. Yes, if someone wanted to kill
someone with an attack on an insulin pump like this, there are likely easier
ways, but ultimately, for anyone that has any reasonable level of technical
ability, developing an attack against the system isn't much of a barrier and
would leave little trace - certainly none that would likely lead to a murder
conviction in most jurisdictions. Further, once someone does develop an
attack, if they then publish or sell that attack, it becomes instantly
available to anyone.

The other problem here of course is the statement about 25ft. Ultimately radio
is radio and it's hard to make definitive statements pertaining to range since
that'd dependent on the power of the transmitter and sensitivity of the
receiver, both in control off the attacker in this kind of attack. Is the
insulin pump actually somehow measuring with atomic clock precision the time
it takes for a message to traverse the air from the remot and if it's longer
than it takes to travel 25ft, cutting off communication? Doubtful.

