J&J warns insulin pump bugs expose diabetics to remote hacks

Flaws in a popular wireless insulin pump has left diabetics exposed to unauthorized insulin injections

Animas, a Johnson & Johnson company and the maker of the OneTouch Ping wireless insulin pump, is warning its diabetic users that flaws in communications between the device and a remote blood glucose meter, could be used to trigger an unauthorized insulin injection. If that injection were not stopped in time, it could cause the wearer to experience a hypoglycemic reaction.

The flaws were discovered by Rapid7 security researcher, Jay Radcliffe, a diabetic himself, who analyzed the equipment and found that communications between the meter and pump were sent unencrypted, or in the clear. Using the vulnerabilities he’s also demonstrated that it is possible to deliver a diabetic an 20 units of insulin, or enough to cause an insulin reaction.

“During the normal course of operation, de-identified blood glucose results and insulin dosage data is being leaked out for eavesdroppers to remotely receive,” Rapid7 explained in an advisory.

A second flaw relates to weak pairing between the remote and pump, which relies on a key that is again transmitted in the clear. Attackers could “trivially” sniff the key that is used to pair the remote and pump and then spoof either device. It’s this flaw that can be used to remotely inject insulin and cause the patient to have a hypoglycemic reaction.

The product also lacks any defenses against so-called “replay attacks” where an attacker captures an authorized transmission and then replays that at a later time, which in the case of an insulin pump and remote meter could cause a hypoglycemic reaction.

Finally, Animas was also using a proprietary management protocol to communicate between meter and pump and that protocol lacked controls to ensure packets are received by each device in a specific sequence.

According to Rapid7, this protocol would allow an attacker to spoof a command to inject insulin at a “considerable distance” from the user.

Radcliffe told CSO Australia via email that using standard radio frequency equipment an attack could be launched from about 10 meters away. That’s substantially less than would be the case if the device was using 802.11 wi-fi, which would support attacks from kilometers away. However, late New Zealand security researcher Barnaby Jack did demonstrate attacks from 90m away in the 900 mHz band — the same band that the OneTouch Ping communicates on.

Still, the security firm believes the vulnerabilities, while potentially serious, should not be cause for panic to users.

This incident may go down as one of the better examples of cooperation between medical device makers and those who report security flaws. It follows the recent controversy over a deal between security firm MedSec and investment research firm Muddy Waters involving the latter taking a short position on medical device maker St. Jude Medical after MedSec found alleged flaws in its pacemakers that would allow a remote hack.

According to Rapid7, Animas was “highly responsive” to its report and is alerting users with recommended actions to mitigate risks.

The security firm also reported the flaws to CERT/CC, the Food and Drug Administration (FDA) and U.S Department of Homeland Security. The FDA generally encourages coordinated disclosure between security researchers while medical device regulations require manufacturers to report flaws to the FDA — but only if they cause death or serious injury.

In January, the FDA issued draft guidance on steps manufacturers should take to address cyber security risks in their devices.

Animas on Tuesday published a letter to OneTouch Ping pump users that does point out relevant sections in the OneTouch Ping’s owners manual that explain how to turn off the pump’s radio frequency feature if they are concerned about a remote attack. That letter will be sent by post to users of the device.

“We have been notified of a cybersecurity issue with the OneTouch Ping, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system. We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security,” Animas states in the letter.

It’s not clear how many users will be notified however Animas gained FDA approval for the insulin pump in 2008 and began selling it that year.

Join the CSO newsletter!

Error: Please check your email address.

Tags OneTouch Ping wireless insulin pumpcybersecurityAnimasunencryptedJ&JRapid7MedSecvulnerabilities operating system securityCSO Australia

More about CSORapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts