Saturday, August 27, 2011

Insulin pump hacker says vendor Medtronic is ignoring security risk

Jerome Radcliffe scared a lot of people — including himself, since he is a diabetic — when he showed how easy it was to hack an insulin pump from a distance at the Black Hat security conference in Las Vegas early this month.

At the time, Radcliffe didn’t disclose the names of vendor names or models. He withheld the information to stay within legal boundaries, to protect himself, and to make sure he did not arm criminal hackers with the means to undertake the actual hacks. Today he revealed in a conference call that the company in question was Medtronic and it has not acknowledged that there is a security risk.

“I chose not to disclose the details to protect the public safety of diabetics,” he said today in a conference call. But that was before he ran into a brick wall with Medtronic.

Now he has worked with the Department of Homeland Security and the Computer Emergency Response Team to contact the vendor of insulin pumps. He said he expected to get honest, public disclosure from the vendor about what it would do to fix the problem.

“I expect a company to be truthful with any press statements and to do fact checking,” he said. “I expect a comprehensive solution in a timely manner.”

Today, Radcliffe revealed that the company was Medtronic, which had an engineer available at his talk in early August. Radcliffe said that on Aug. 9, Medtronic posted a statement on its web site that says it wasn’t really a security problem. Radcliffe was unsettled by that and emailed the engineer again. On Aug. 12, the DHS contacted the company and got no response. On Aug. 15, Congress sent a letter to the General Accounting Office asking for an investigation. And on Aug. 24 Medtronic gave an Associated Press reporter the same reinforced PR statement. CERT also contacted Medtronic.

“Medtronic takes very seriously the issue of information security of its devices,” the company said in a statement. “It’s an integral part of the very fabric of our product design processes.” It also said, “To our knowledge, there has never been a single reported incident of wireless tampering outside of controlled laboratory experiments in more than 30 years of use.”

The company made a point to minimize the importance of Radcliffe’s work, which prompted Radcliffe’s follow-up call with reporters today.

“It was really disappointing to me they would publish this information without doing any fact-checking whatsoever,” Radcliffe said. “You should contact Medtronic and let them know you find this type of behavior unacceptable. If you are a customer, you should demand they take this issue seriously and be truthful.”

With diabetes, a patient can’t properly process sugar in his or her blood because the body can’t make enough insulin, which bonds with the sugar and turns it into fat. Patients have to inject themselves with synthetic insulin as often as several times a day to keep their blood sugar under control. If they have too little or too much sugar in their blood, the results can be incapacitating or even life threatening.

Insulin pumps use wireless sensors that detect blood sugar levels and then communicate the data to a screen on the insulin pump. The patient can monitor the readings and inject the insulin as needed. Radcliffe reverse-engineered the pumps and the wireless connectivity and figured out that the system was relatively unprotected. It was configured more like a dumb device where the manufacturers assumed no one would try to hack it.

There was no encryption, since that requires more complicated processing and would make the battery for the device run out faster. The sensor has to run on a 1.5-volt watch battery for two years. Adding encryption?also makes the device more expensive. Once Radcliffe,?who has used insulin pumps for a while and has been a diabetic since he was 22,?understood how the devices worked, it was relatively simple to figure out how to hack them.

Radcliffe says he really wants to educate people on how to better protect medical devices. He explained how he figured out how to hack insulin pumps, which rely on wireless connectivity and are therefore vulnerable to being intercepted and compromised.

At Black Hat, Radcliffe tackled the problem of hacking the wireless sensors that collect blood sugar information and transmit it to the insulin pump. He had to figure out what kind of chips are used in the sensors, which he did with some digging. Since the devices emit wireless signals, the manufacturers have to submit designs to the Federal Communications Commission, which investigates whether the device emits anything harmful. Those filings contained valuable information on how the devices operated, Radcliffe said. The data-sheets for the chips had good information, and the patent for the $6,000 or so?insulin pump was also useful.

Once he IDed the sensor, Radcliffe went through the process of deciphering what the?wireless transmissions meant. These?transmissions are not?encrypted, since the devices have to be really cheap. The transmissions are only 76 bits and they travel at more than 8,000 bits per second. To review the signal, Radcliffe captured it with a $10 radio frequency circuit board and used an oscilloscope to analyze the bits.

He captured?two 9-millisecond transmissions that were five minutes apart. But they?came out looking like gibberish.?He captured more transmissions. About 80 percent of the transmissions had some of the same bits. He reached out to Texas Instruments for help but didn’t have much luck. He told the TI people what he was doing and they decided not to help him.

That was as far as he got on deciphering the wireless signal from the sensor, since there was no documentation that really helped him there. He couldn’t understand what the signal said, but he didn’t need to do that. So he tried to jam the signals to see if he could stop the transmitter. With a quarter of a mile, he figured out he could indeed mess up the transmitter via a denial of service attack, or flooding it with false data.

The problem for manufacturers is that the wireless connection on the insulin pump is also not secure. He wrote a “scanner” program that could query for the device’s wireless signal and it pretty much gave itself away with no encryption to interfere with the scanning. If you can get the serial number of the specific device, you can use that to devise a transmission that issues an instruction to it. Radcliffe can control the pump from a distance. He did it on one device that he owns, not a series of devices, since it was his own personal research. He doesn’t know if some pumps are more secure. He isn’t disclosing the vendor yet, but he will work with the vendor to help create a solution.

Radcliffe figured out that if he reversed the format of the signal, he could then capture a transmission identification and then retransmit it with fake data. That would cause the insulin pump to inject too much or too little insulin into the person’s bloodstream, potentially killing the patient. The pump did nothing to inform the patient that its data had been altered.

Hacking medical devices isn’t a pretty subject. But it is perfectly possible and manufacturers of those devices shouldn’t ignore the possibility that it can be done. The problem of lack of security awareness among the manufacturers has been around for a while. In 2008, a security researcher at the?Defcon security conference?showed how he could turn off someone’s pacemaker.

Radcliffe says that next-generation pumps may use Bluetooth wireless radio, which has also been hacked in the past. Research is being done into whether the pumps and the sensors can be integrated so that humans don’t have to make their own assessments about how much insulin they need.

Radcliffe said he has ordered a new insulin pump from a Medtronic rival, Animas. The vulnerable pumps are the Paradigm models 512, 522, 712, and 722. He said that the risks are still low in terms of a hacking attack against individual users. But he said users should be concerned about the behavior of companies.

“I can’t continue supporting a company I find unethical,” he said. “I will continue to be committed to fully disclosing and cooperating with Medtronic no matter what their conduct is. Public safety is the top security.”

Next Story: Electronic Arts’ The Sims Social hits 4.6 million daily players a week after?launch
Previous Story: Google brings voice search to?Maps

Tags: Black Hat, hackers, insulin pumps, security

People: Jay Radcliffe


View the original article here

Max Levchin leaves Google, Slide gets axed — blame Google+

Just one week after Slide’s Photovine photosharing app officially debuted, it appears that trouble is afoot for the Google-owned social app startup.

Slide founder Max Levchin (pictured right), who also cofounded PayPal, is leaving Slide and Google, All Things Digital reports. Slide itself will be shut down in the next few months, and remaining employees will be shuffled into Google proper. Meanwhile, the company’s apps, including the messaging app Disco and its other photo-sharing app Pool Party, are on track to be sunsetted — a fancy way of saying they’re going to be shut down.

For Google, a company that has typically made wise and forward-thinking acquisitions, the news comes as a surprise. Google purchased Slide last August for around $200 million, and it ran independently with the hopes that it would buoy Google’s flagging position with social apps and services. But that was before Larry Page reclaimed his CEO role at Google, restructured the company, and put an extraordinary emphasis on getting social right.

Now Google has Google+. Its fledgling social network is growing rapidly and has greatly reduced much of Slide’s initial value for the company. The gorgeous photo sharing in Google+, for example, competes directly with Photovine and Pool Party.

It’s also worth noting that many of Slide’s products, including Disco, Photovine and Pool Party, are iOS-only with no Android support. Indeed, Slide has seemed out of step with Google’s social moves for some time, something that can be attributed to the company being run autonomously.

The real question now is why did Google take so long to figure things out with Slide. The company could have saved a lot of wasted manpower and resources had it decided earlier that Slide’s apps weren’t necessary.

Slide has some 100 employees, some of which will land at YouTube (also run independently from Google), All Things Digital reports. Slide head of product Jared Fliesler is also jumping ship to Square, where he’ll join up with his former colleague Keith Rabois.

Next Story: Pandora beats analyst estimates, reports $67M record?revenue
Previous Story: Xbox Live Gold members get a nice ESPN?update

Tags: apps, Disco, Google Plus, Photovine, Pool Party

Companies: Google, Slide, Square

People: Jared Fliesler, Max Levchin


View the original article here

Sequoia Capital raising fifth growth and principals funds

Storied venture capital firm Sequoia Capital is in the process of raising a new growth fund and principals fund, the firm has confirmed with VentureBeat.

Sequoia would not disclose any new details about the funds when contacted by VentureBeat. A filing with the Securities and Exchange Commission indicated that the firm is raising a new fund, but the filings do not list the amount of money the firm expects to raise for its fund.

Sequoia Capital raised its last “growth fund” in 2008, when it raised $925 million.

The firm’s growth-stage investments include the likes of Apple, eHarmony, Evernote, Google and Jive, an enterprise social networking company that filed to go public yesterday to raise up to $100 million. The growth stage investments range between $10 million and $100 million, according to the firm’s website.

Next Story: Why Apple employees avoid getting in the elevator with Steve?Jobs
Previous Story: SoundHound parnters with Spotify to offer music streaming in?Europe

Tags: growth fund, investments, Venture Capital

Companies: Sequoia Capital


View the original article here

Top 10 Steve Jobs resignation reaction stories

Everyone’s talking about Steve Jobs resigning as CEO at Apple (just like they did in 1985, image at left) but a few publications are doing it in unique ways. Here are my top 10 favorite resignation stories.

10. “No, Jobs would never be called Steve Jock,” writes?Patrick Dorsey at ESPN. “But the now-former Apple CEO impacted athletics in many, many ways.” Dorsey goes on to list them in this article “Steve Jobs had a major impact on the sports world.”

9. Want to talk to your friends about the future of Apple leadership without sounding like an idiot? Read the article “After Steve Jobs’ resignation, 5 top executives at Apple” from the Economic Times. It’s short and sweet and gives a “who’s who” of executives you will be hearing about now that Jobs stepping down.

8. Lot’s of news sites are speculating about Jobs’ health. Elizabeth Landau at CNN writes about this topic well in “Piecing together details of Jobs’ health history.“

7. Dave Caolo at TUAW.com has this interesting post: “Steve Jobs has 313 patents to his name, including some unexpected.”

6. “The moment Apple’s biggest fan met Steve Jobs” on The Next Web is a big, warm, fuzzy story that will make you want to get a haircut.

5. Oh, The Onion. “New Apple CEO Tim Cook: ‘I’m Thinking Printers’ “

4. This story really is number 1, but since it’s my story I’m going to act like it isn’t (it is) and stick it in here at number 4: “Why Apple employees avoid getting in the elevator with Steve?Jobs“

3. TheGadgets.net does a great breakdown of Jobs’ top inventions with pictures in the post “Top Inventions of Steve Jobs.” If you don’t have a whole lot of time to read, this story is a fun skimmer.

2. “Steve Jobs steps down the first time: The 1985 press coverage” from Technologizer.com is a good roundup of what major news outlets reported that year. Some of it is being repeated now, almost verbatim. I nabbed the InfoWorld image used in this post from them. It’s fantastic.

1. If this list isn’t enough, KQED has 14 more stories to checkout.

Next Story: Verizon acquires enterprise services provider?CloudSwitch
Previous Story: No Galaxy S II for Verizon, but expect a similar Samsung?phone

Tags: resignation

Companies: Apple

People: Steve Jobs


View the original article here

Vizibility wants to help you game Google

VizibilityPotential employers are going to search for you, it happens. But Google can be a fickle mistress. That’s why Vizibility has raised $1.3 million in a follow-on seed round to give you the Googling power back.

Vizibility has created a “search me” button that displays personalized Google search results in a pop up window. These results are managed through the “PreSearch” wizard, which allows you to design and control what appears in your pop up window. From there you can embed the button on your site and direct curious friends, family and potential employers to the pre-approved you.

My first question was, will this skew actual search results? The answer is no. From that pop up, the searcher can access all of your Google results in their natural order on the Google site. The benefit of Vizibility, however, is the interception. It gives you the opportunity to quench the curiosity before digging begins. Furthermore, the pop up doesn’t actually look shaddy, or like you’re trying to hide something. It’s a direct list of links that look and feel like Google search results.

Vizibility’s price points vary based on whether you are an individual or a coJames Alexandermpany. Company prices range from $30-$200 a year and individual prices range from free to $10 a month. Dependent on what level you purchase, you will receive the Vizibility button and wizard along with a personal QR code, Twitter and Facebook updates that appear when people search for you, a report when your search results change in Google, a “button report” showing who uses your button, and more.

The follow-on seed round was led by Launchpad Venture Group as well as Boston Harbor Angels, New York Angels, TiE Angels, and individual investors.

“We’ve got a great team in place and a business plan that is delivering compelling results. That, plus our two search innovation patents, is why we’ve been able to raise over $2 million in capital thus far,” James Alexander, Vizibility chief executive said in a statement.

Vizibility was founded in 2009 and is currently headquartered in New York City.

Next Story: Xbox Live Gold members get a nice ESPN?update
Previous Story: Gowalla trims feature set, eliminates virtual items and notes from?check-ins

Tags: button, pop up, search results

Companies: Google, Vizibility

People: James Alexander


View the original article here

Xbox Live Gold members get a nice ESPN update

ESPN on Xbox LIVE

Reaffirming its strategy to evolve the Xbox 360 into an all-in-one entertainment device, Microsoft debuted an update to its Xbox Live ESPN sports offering Thursday.

The new ESPN on Xbox Live channel adds a number of new or updated features, such as event reminders, sports news notifications, voice controls via Xbox Kinect and an easily accessible college football scoreboard. Perhaps the most notable addition is the ability to watch a live sports game while also checking scores, reading news or even watching a second game via a new split screen feature.

Previously, Xbox Live Gold members had access to sports content from ESPN3, which includes live events and highlights from over 400 college football games, 31 bowl games and 75 exclusive games (about 50 of those happening in the first five weeks of the season). But the user experience wasn’t very impressive, according to avid Xbox gamer, sports nut and Geeks of Doom Managing Editor Jay Dussault.

“It was pretty cool for highlights and such, but most of the live events I found were weird sports like cricket and rugby — sometimes soccer,” Dussault said, adding that he rarely thought to use his Xbox when more exciting sports games were available.

However, the new features available in the update optimize the experience of viewing ESPN3 content on an Xbox.

“The focus on more exciting sports, reminders of what’s on, and the ability to watch split screen paired with the live alerts and Bottom Line (and perhaps having the ability to control it with voice commands via Kinect) make it well worth having for sports nuts,” Dussault said.

Image courtesy of Microsoft

Next Story: Max Levchin leaves Google, Slide gets axed — blame?Google+
Previous Story: Vizibility wants to help you game?Google

Tags: ESPN, ESPN3, sports, streaming video, Xbox Live

Companies: Microsoft


View the original article here

Electronic Arts’ The Sims Social hits 4.6 million daily players a week after launch

Electronic Arts’ latest Facebook game, The Sims Social, has picked up more than 4.6 million daily active users after launching a week ago, according to AppData.

The Sims Social was the fastest growing social game this week, picking up 2.6 million daily active users as of the beginning of the week and 1.2 million daily active users today alone. That’s compared to Zynga’s smash hit Empires & Allies, which lost around 328,000 daily active users today. Frontierville, another Zynga game that recently released a new sub-game called Pioneer Ville, lost around 220,000 daily active users today, according to AppData.

Electronic Arts’ newest social game looks like it will give Zynga — which hasn’t really faced any stiff competition in Facebook games —?a run for its money. That’s because the game has a massive franchise and name behind it, along with a development team that has a pretty stellar track record. EA has sold more than 140 million copies of the The Sims and its sequels and expansion packs and has generated around $3 billion in revenue from it.

The Sims Social is basically a lightweight version of The Sims built into a browser on Facebook. The team behind The Sims and casual games maker Playfish both worked on the game. Electronic Arts bought Playfish in 2009 when it was vying with social games maker Zynga for the top social gaming spot.?Zynga has since lurched ahead and claimed the top spot, with 264 million monthly active.

Before The Sims Social launched, Electronic Arts had around 29 million monthly active users,?according to AppData. The company has since risen to around 34.6 million monthly active users, passing social gaming company Wooga (which has around 34 million monthly active users).

The Sims was a smash hit with casual gamers because it was a very light game that was easy to get into and offered a lot of depth. You basically control a “sim” as it lives its life and try to achieve lifetime goals — which lets gamers accomplish whatever they want to do in the game. ?The games are known for having tongue-in-cheek humor and sharp writing.

Electronic Arts has not-so-quietly established a fierce casual and social gaming team. The company bought Playfish back in 2009 and also bought casual games maker PopCap?for $750 million. Both teams have made successful games, and once the PopCap deal closes,?there’s a good chance Playfish will be working with casual games maker PopCap.

Next Story: SoundHound parnters with Spotify to offer music streaming in?Europe
Previous Story: Insulin pump hacker says vendor Medtronic is ignoring security?risk

Tags: CityVille, Farmville, social games, The Sims, The Sims Social

Companies: Electronic Arts


View the original article here