A security researcher, who is a diabetic, found flaws that could allow a computer hacker to remotely control insulin pumps and alter the readouts of blood-sugar monitors.
As a result, diabetics could get too much or too little insulin, a hormone they need for proper metabolism. Both cases are potentially fatal.
Jay Radcliffe, a diabetic who experimented on his own equipment, released his findings Thursday at the Black Hat computer security conference in Las Vegas.
"My initial reaction was that this was really cool from a technical perspective," Radcliffe said. "The second reaction was one of maybe sheer terror, to know that there's no security around the devices which are a very active part of keeping me alive."
Though there is no evidence that anyone used Radcliffe's techniques, his findings raise concerns about the safety of medical devices in the Internet age. Security researchers have already demonstrated attacks on pacemakers and defibrillators.
Still, medical device makers insist that the demonstrated attacks have been performed by skilled security researchers and are unlikely to occur in the real world.
That doesn't mean medical devices aren't susceptible. Devices are typically too small to include powerful encryption mechanisms to scramble wireless communications, which means most are vulnerable to attacks.
Radcliffe said someone would need to be within a couple hundred feet of the patient to pull off the attack. He also warned a stranger wandering a hospital or sitting behind a target on an airplane would be close enough.
With a powerful enough antenna, Radcliffe said, an attacker could be up to half a mile away. This attack worked on two different blood-sugar monitors, Radcliffe said.
Radcliffe said the point of his research is not to alarm people. He said the issues he's discovered are important to address publicly as the medical industry moves aggressively toward more networked devices.
The Associated Press contributed to this report.
