Johnson & Johnson has issued a warning to patients advising them that recently discovered insulin pump security vulnerabilities could potentially be exploited by hackers to cause them to come to harm.
While the risk of that happening is believed to be “extremely low”, a warning was issued to ensure patients were kept fully informed. The warning was sent to 114,000 users of the devices in the U.S. and Canada. Patients were advised to keep using the affected product, but were provided with steps that can be taken to mitigate risk.
The insulin pump security vulnerabilities were discovered by Rapid7 security researcher Jay Radcliffe. Radcliffe was conducting research on medical device vulnerabilities and discovered three flaws in the Animas OneTouch Ping device. The flaws could be exploited by a malicious actor to obtain data from the device and cause the insulin pump to administer repeated doses of insulin. That could cause a patient to have a hypoglycemic attack, which could prove life threatening.
In order to exploit the insulin pump security vulnerabilities a hacker would need to have specialist equipment and would likely need to be within 25 feet of the intended target. However, Radcliffe suspects that with the right equipment an attack could be conducted from a much greater distance, possibly from more than a mile away.
The Animas OneTouch Ping is sold with a remote control that patients can use to administer an insulin injection. The remote control makes it much easier to administer insulin, as the actual insulin pump does not need to be physically accessed.
The pump and the remote control are paired to ensure that another individual’s remote control will not work on another user’s pump. However, the security protocols used to pair the devices is weak. The two devices conduct a five-packet exchange which ensures that only the pump’s paired remote can be used. However, those packets are always the same. It would be possible for an attacker to exploit a vulnerability and eavesdrop on those exchanges. A second vulnerability could be exploited to allow the attacker to spoof communications. By doing so it would be possible to trigger repeated insulin doses.
Radcliffe contacted Animas to advise the company of the insulin pump security vulnerabilities and worked with the company to confirm that those vulnerabilities existed. He also provided assistance to develop mitigations. Only when those mitigations had been developed was the discovery made public.
Two possible mitigations have now been provided to patients. They can either discontinue use of the remote control or they can program the insulin pump and set a maximum insulin dose. Radcliffe believes that by taking the steps outlined by Johnson & Johnson in the notification letters patients would be safe.
The Animas OneTouch Ping is now 12 years old and more recent devices now have encrypted communications and are more secure. No other Animas devices are believed to contain the vulnerabilities, although Radcliffe will be continuing his research.