The disclosure raises the risk of attacks on certain Medtronic insulin pumps. But Radcliffe said he hopes that exposure helps fix the problems. He said that he tried to handle the disclosure ethically - by working with the company first - and felt “there should have been an ethical response [from the company] to that.’’
Radcliffe, a diabetic who experimented on his own Medtronic pump, revealed the details.
Medtronic would not directly address its interactions with Radcliffe. Spokeswoman Amanda Sheldon said a Medtronic employee attended Radcliffe’s presentation at the Black Hat computer security conference this month in Las Vegas and said the company was analyzing his public statements.
“We have to evaluate the sources of the information and figure out what we should do with it,’’ she said.
Radcliffe said his public statements intentionally lacked the specific technical details that Medtronic would need to address the vulnerabilities he has found. After the Department of Homeland Security, which examined his research, helped make the introduction to Medtronic, his calls and e-mails went unanswered, he said, a claim Medtronic would not specifically address.
Radcliffe, who lives in Meridian, Idaho, said the experience has caused him to switch to another company that appears to use stronger security.
However, he said Medtronic customers should continue to use their pumps, as the techniques he developed are hard to execute in the real world - for now. Hacking attacks tend to get easier as more people do them, because hackers can write programs to automate the most cumbersome tasks.
Radcliffe’s findings are examples of hacking attack of the future, in which the software and chips being added to everyday technologies will make them vulnerable to new attacks.
