New insulin pump flaws highlights security risks from medical devices

Attackers exploit flaws in the Animas OneTouch Ping insulin pump system to deliver dangerous insulin doses

Medical device manufacturer Animas, a subsidiary of Johnson & Johnson, is warning diabetic patients who use its OneTouch Ping insulin pumps about security issues that could allow hackers to deliver unauthorized doses of insulin.

The vulnerabilities were discovered by Jay Radcliffe, a security researcher at Rapid7 who is a Type I diabetic and user of the pump. The flaws primarily stem from a lack of encryption in the communication between the device's two parts: the insulin pump itself and the meter-remote that monitors blood sugar levels and remotely tells the pump how much insulin to administer.

The pump and the meter use a proprietary wireless management protocol through radio frequency communications that are not encrypted. This exposes the system to several attacks.

First, passive attackers can snoop on the traffic and read the blood glucose results and insulin dosage data. Then, they can trivially spoof the meter to the pump because the key used to pair the two devices is transmitted in clear text.

"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," the Rapid7 researchers said in a blog post.

A third issue is that the pump lacks protection against so-called relay attacks, where a legitimate command is intercepted and then is played back by the attacker at a later time. This allows attackers to perform an insulin bolus without special knowledge, the researchers said.

While the meter-remote is advertised to work from up to 10 meters away, it is technically possible to launch spoofing attacks from much greater distances with more powerful radio transmission gear like that used by ham radio hobbyists.

Animas has published a security notice on its website with recommendations and will also send letters to customers.

The company views the probability of unauthorized access to the One Touch Ping system as very low, saying these attacks "would require technical expertise, sophisticated equipment, and proximity to the pump."

Concerned users can turn off the pump's radio frequency feature, but patients will then have to enter the blood glucose readings manually because the meter will no longer be able to transmit them.

Additionally, the pump can be programmed to limit the amount of bolus insulin that can be delivered at once, over a two-hour period and per day. Attempts to exceed these settings will trigger a pump alarm and prevent bolus insulin delivery, Animas said.

The high or low blood sugar risks a diabetic has to deal with every day are more serious than the risks introduced by these vulnerabilities, Radcliffe said. Removing an insulin pump from a diabetic over the security issues would be comparable to never flying in an airplane because it might crash, he said.

However, "as these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically," the researcher warned. "This research highlights why it is so important to wait for vendors, regulators, and researchers to fully work on these highly complex devices."

Before going public, Radcliffe worked with Animas and parent company, Johnson & Johnson, to help them understand the flaws and develop mitigations. This is in stark contrast to researchers from a company called MedSec who recently chose to share information about vulnerabilities in heart devices from St. Jude Medical with an investment research firm so the firm could short the device maker's stock.

The security of medical devices has been a hot topic in the security research community for the past several years. Some vendors have taken notice and have launched vulnerability coordination programs, and the U.S. Food and Drug Administration actively encourages medical device manufacturers to work with security researchers.

Join the CSO newsletter!

Error: Please check your email address.

Tags medical

More about Rapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts