Jay Radcliffe, a 33-year-old Idaho man who hacked into his own pump at a cybersecurity conference earlier this month, said Thursday that he initially withheld the name of the manufacturer in an effort to work with the medical technology company on security issues.
Medtronic's $1.3 billion California-based diabetes business is the largest maker of insulin pumps in the world. But Radcliffe and others suspect the security vulnerabilities could extend to other devices, such as pacemakers and implantable heart defibrillators.
After he was repeatedly rebuffed by Medtronic officials, Radcliffe says he decided to go public with the company's name. "Blowing me off is not an ethical response," he said on a webcast organized by Black Hat, a Seattle-based organization of security researchers.
Medtronic CEO Omar Ishrak said at the company's annual meeting Thursday that the probability of a security breach is small but that Medtronic "takes security very seriously." Security systems on new pumps will improve going forward, he said.
He also said there's never been an incidence of pump hacking in the real world -- it's only occurred in controlled settings with skilled individuals.
Radcliffe gave a presentation about his pump at a Black Hat conference earlier this month. There he remotely disabled its lifesaving therapy by remotely turning it off.
Since then, Radcliffe claims that Medtronic has distributed inaccurate information about the hacking threat, including statements that the pump's wireless capabilities can be turned off to prevent security breaches. "Sadly, this is not possible," he said.
Radcliffe has never revealed how he hacked into his own device -- he has since switched to a competing pump made by Johnson & Johnson. He urged patients with Medtronic pumps to continue using the devices, and acknowledged that the threat of hacking is small.
But, he said, it's important for companies to take security issues seriously. "Saying it's never been done is no assurance that it can't be done in the future," he said. "Just because nobody's exploited your system doesn't make it secure."
No comments:
Post a Comment