Johnson & Johnson says people with diabetes don't need to worry about potentially lethal wireless attacks on insulin pumps

Rapid7 security researcher Jay Radcliffe (previously) has Type I diabetes, and has taken a personal interest in rooting out vulnerabilities in the networked, wireless-equipped blood-sugar monitors and insulin-pumps marketed to people with diabetes, repeatedly discovering potentially lethal defects in these devices.

Recently, Radcliffe revealed that Johnson & Johnson's 2008 Animas Onetouch Ping insulin pump did not encrypt communications between it and its remote control, allowing attackers to cause it to dump all of its insulin in one deadly bolus.

Johnson & Johnson sent a letter to its customers downplaying the risk, saying that "The probability of unauthorized access to the OneTouch Ping system is extremely low" and "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."

Other proof-of-concept attacks on medical implants envisioned spreading from device to device, for example, as users came together in specialized hospital clinics.

Radcliffe previously advised the US Copyright Office that Section 1201 of the Digital Millennium Copyright Act had prevented him from coming forward with similar revelations.

Medical devices are notoriously insecure, though some devices stand out as being especially alarming.

The OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol. Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.

Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump.

These issues have been reported to the vendor, Animas Corporation, CERT/CC, the FDA and DHS. Animas has been highly responsive and is proactively notifying users of the devices, and recommending mitigations for the risks.

R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump [Todb/Rapid7]

Exclusive: J&J warns diabetic patients - Insulin pump vulnerable to hacking [Jim Finkle/Reuters]

(via Consumerist)

Notable Replies

  1. Compared to shooting "me", probably not. But since an attack like this could be done covertly, with a high likelihood of the perpetrator escaping notice and could be conducted in places where guns and other weapons might be screened against--airports, political speeches, courtrooms, public events--I'd say it's probably worth worrying about enough to put in at least the most basic of security measures like encrypted communication before an incident happens in the wild. If anyone ever does put in the effort to make it happen, they likely will have something else in mind other than targeting some random diabetic on the street.

  2. jacroe says:

    I think a better metaphor would be Ford saying that "Yeah we know that attackers can cause your Mustang to spontaneously combust with you in it, but it's very specialized. Hardly anyone can do it."

  3. Well that's a pretty good reason not to install any security software in an insulin pump. Hey, we're all going to die some day, amirite?

  4. What would distinguish someone being attacked like this from a general failure of the pump? Admittedly, the failure rate of these things is really damned low, but would someone looking into a death from an insulin overdose assume "random hacker attack" or "device error."

    Personally, I'm going to stick to doing my insulin manually and measuring the dosage by reading the numbers off the side of the syringes, but that's not an option for everyone. Adding some actual encryption protocols to devices like this just seems like a no-brainer and failure to do so is just kind of irresponsible.

    Sure, that's why I lock my doors. Not encrypting devices like these? That's like the construction company not even installing locks on the doors in the first place.

  5. I don't think there have been any attacks yet. That is not a very good reason to do nothing about it though.

    I would expect something that can kill you would have better security than your WiFi router. Right now it seems it doesn't even have the equivalent of the defeated wep protocol.

    I would also hope this security gets better before anyone gets killed.

Continue the discussion

23 more replies