Darlene Storm

FDA asks hackers to expose holes in medical devices, but many researchers fear CFAA & jail

July 23, 2013 3:36 PM EDT

With back-to-back hacker conferences about to kick off in Las Vegas, it’s an extremely exciting time for people interested in security and interested in insecurity by knowing what exactly can be done via hacking.

FDA asks hackers to expose flaws in medical devices, but some researchers fear aggressive CFAA prosecutions and prison timeBlack Hat USA, which normally has 80-90 talks, will feature a record-breaking number of 110 talks this year. SC Magazine wrote about how the fear of being sued or worse—going to prison—makes some security researchers edgy about disclosing vulnerabilities. And every year after Black Hat and Def Con, some red-faced company whose product was hacked will point fingers and make nasty accusations.

Such was the case after security researcher Jay Radcliffe explained [pdf] how wireless attacks on an insulin pump could potentially be lethal enough to kill diabetics. He heard “from parents terrified that he had given evildoers a blueprint to kill their children.” Radcliffe, a senior security analyst with InGuardians, is a diabetic; he wanted his insulin pump secured, but the device maker, Medtronic, ignored the proof that a software bug would allow an attacker to take remote control of the insulin pump. That is why he shared his findings "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System" at Black Hat in 2011. Even Congress got worked up about that and demanded answers about how an insulin pump could be remotely controlled via a $20 radio frequency transmitter.

Then the feds were pressed to protect wireless medical devices from hackers after security researcher Barnaby Jack "discovered a way to scan a public space from up to 300 feet away, find vulnerable pumps made by Minneapolis-based Medtronic Inc., and force them to dispense fatal insulin doses. Jack doesn't need to be close to the victim or do any kind of extra surveillance to acquire the serial number, as Radcliffe did." Later that year, raising awareness so embedded medical device makers would beef up security, Jack explained how pacemakers and ICDs, if infected with a worm, could possibly commit mass murder.

Well now Radcliffe has a new insulin pump, made by Animas Corp., and claims this medical device also “has a flaw that can cause incorrect dosage levels of insulin,” reported Bloomberg. Yet this time Radcliffe found an ally in the FDA, which is encouraging security researchers to disclose medical device vulnerabilities. The “FDA forced a high-level discussion” with Animas Corp., but the company “which is a division of Johnson & Johnson, disagrees strongly with the severity of the issue he uncovered and doesn't think the device needs to be fixed.”

In his complaint to the FDA, Radcliffe claims his Animas pump inaccurately calculates the amount of insulin to dispense after the battery is changed. The pump does not automatically factor in the amount of insulin it dispensed immediately before the battery was removed, he said.

That issue led to dosing errors that caused him to experience two low-blood-sugar episodes, which can be fatal, Radcliffe said. 

Radcliffe will present “Fact and Fiction: Defending your Medical Devices” at Black Hat. As a bonus, “this talk will also have the unique element of discussing a medical device software bug that InGuardians uncovered. This bug will be discussed in detail and replicated live on stage.”

Barnaby Jack will present “Implantable Medical Devices: Hacking Humans” at Black Hat. He explained that “there are well over 3 million pacemakers and over 1.7 million ICD's in use” today. “Our internal research software will be revealed that utilizes a common bedside transmitter to scan for, and interrogate individual medical implants.”

The hacking talks and attack tools released from both Black Hat and Def Con will no doubt cause some security researchers to be accused of something unsavory. But the other choice is to leave the holes alone so only the bad guys are secretly exploiting them. As SC Magazine wrote:

Because of recent examples in which the federal anti-hacking law, known as the Computer Fraud and Abuse Act (CFAA), has been interpreted in ways that permit aggressive prosecutions to be launched, researchers are significantly limiting or scrapping altogether projects that they have invested months or even years on – fearful that they will become the next Aaron Swartz or Andrew "Weev" Auernheimer, and unwilling to join a procession of digital martyrs that is expected to only grow over the next several years. Everyone, it seems, is feeling timid. 

Shane McDougall from Tactical Intelligence said, “I really can't express how monumentally bad the decision by the FBI to go after Weev was.” He added that the FBI has "really done American consumers a disservice.”

“It's extremely dangerous legally now to test the security of any sort of service,” security researcher Charlie Miller told SC Magazine. “There's always a threat you'll get sued, but it's a whole 'nother story that you may end up in jail."