Jay Radcliffe thought he was a force for good. Last year, the 34-year-old computer network security expert discovered that a best-selling insulin pump used by fellow diabetics is vulnerable to hacking. Tinkering with his own pump, Radcliffe noticed that its wireless connection opened a security hole that would allow an attacker to manipulate the amount of insulin pumped, potentially inducing a fatal reaction.
Radcliffe shared his findings at the popular Black Hat security conference in Las Vegas last August, convinced that the publicity would pressure manufacturers of medical devices to improve their security. Instead, the presentation, which was titled “Hacking Medical Devices for Fun and Insulin,” unleashed a tide of angry e-mails. Radcliffe, who has a day job at IBM, heard from parents terrified that he had given evildoers a blueprint to kill their children. Diabetics, worried that his research would slow the approval process for more secure pumps, also weighed in.
Victoria Cumbow, a blogger in Huntsville, Ala., says diabetics like herself experienced “a borderline betrayal feeling” when they heard of Radcliffe’s exploit. “We didn’t feel like he put the community first, and the defense mechanism went up,” she says.
Radcliffe, who was diagnosed with Type 1 diabetes at 22, admits he couldn’t handle the vitriol. “At first I tried responding, but at some point you just have to stop,” he says, speaking by phone from his home in Meridian, Idaho. “Because some people you’re just not going to convince, and you’re just adding fuel to the fire by trying to defend yourself.”
Not all the reaction was negative. Two weeks after Radcliffe made his presentation, Representatives Anna Eshoo of California and Edward Markey of Massachusetts asked the Government Accountability Office to investigate the security of wireless health-care devices, citing his research. The agency is scheduled to publish its report in July.
Radcliffe did not name Medtronic, the manufacturer of the pump he hacked, in his presentation. He says he outed the Minneapolis-based company three weeks later after it rebuffed his attempts to discuss the matter. Medtronic says a representative attended Radcliffe’s talk but won’t comment on its interactions with him. The company is adding security measures to future pumps, which may not hit the market for several years. It says the risk of an attack is “extremely low.”
Barnaby Jack, a San Francisco hacker best known for attacking cash machines, says his own work indicates that the security risks are even more acute than Radcliffe makes out. “I don’t want to discredit Jay’s research, but this potential vulnerability is much greater,” he says.
Radcliffe is working on a new, secret project involving medical devices. He hopes to be something more than just a one-hack wonder. “I don’t just want to be the guy who hacked into the insulin pump,” he says.