Rapid7 security researcher Jay Radcliffe (previously) has Type I diabetes, and has taken a personal interest in rooting out vulnerabilities in the networked, wireless-equipped blood-sugar monitors and insulin-pumps marketed to people with diabetes, repeatedly discovering potentially lethal defects in these devices.
Recently, Radcliffe revealed that Johnson & Johnson's 2008 Animas Onetouch Ping insulin pump did not encrypt communications between it and its remote control, allowing attackers to cause it to dump all of its insulin in one deadly bolus.
Johnson & Johnson sent a letter to its customers downplaying the risk, saying that "The probability of unauthorized access to the OneTouch Ping system is extremely low" and "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."
Other proof-of-concept attacks on medical implants envisioned spreading from device to device, for example, as users came together in specialized hospital clinics.
Radcliffe previously advised the US Copyright Office that Section 1201 of the Digital Millennium Copyright Act had prevented him from coming forward with similar revelations.
Medical devices are notoriously insecure, though some devices stand out as being especially alarming.
The OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol. Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.
Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump.
These issues have been reported to the vendor, Animas Corporation, CERT/CC, the FDA and DHS. Animas has been highly responsive and is proactively notifying users of the devices, and recommending mitigations for the risks.
R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump
Exclusive: J&J warns diabetic patients - Insulin pump vulnerable to hacking
Philips has acquired Luciom, a French startup that makes Li-Fi products, which allow for very fast network connections over short distances by flickering an LED at speeds that are too fast to register on the human eye, and which can ever work in the dark by operating at low dimness settings the human eye perceives […]
Many insurers offer breaks to people who wear activity trackers that gather data on them; as Cathy “Mathbabe” O’Neil points out, the allegedly “anonymized’ data-collection is trivial to re-identify (so this data might be used against you), and, more broadly, the real business model for this data isn’t improving your health outcomes — it’s dividing […]
As the US government ramps up its insistence that visitors (and US citizens) unlock their devices and provide their social media accounts, the solution have run the gamut from extreme technological caution, abandoning mobile devices while traveling, or asking the government to rethink its policy. But Maciej Cegłowski has another solution: a “travel mode” for […]
Although there will never be a consensus about the best way to make coffee, any coffee connoisseur will agree that controlling the grind of your beans and balancing water temperature are the keys to a tasty cup. Since your plastic coffee pot doesn’t really allow for that kind of customization, going back to the French […]
Not all hackers are malicious information thieves—white-hat ethical hackers work with technology companies to ensure the security of their computer systems and user data. With all of today’s high-profile data breaches, ethical hackers are in considerable demand. To learn these critical skills and break into the high-paying cyber security field, try taking the courses in this […]
Making people aware of goods and services in the digital age requires an array of new strategies from social media and email to number-crunching tools like Google Analytics. To get a handle on the techniques used to capture attention and convert traffic into dollars in a crowded online environment, the Full-Stack Marketer Bundle offers 22 hours of training to get […]