Share this article on:
Johnson & Johnson has issued a warning to patients about security vulnerabilities present in one of its insulin pumps. The vulnerabilities affect the company’s Animas OneTouch Ping device which is used to deliver doses of Insulin to diabetic patients. Two of the vulnerabilities could be exploited by a malicious actor to deliver dangerously high doses of Insulin. Such a move could cause hypoglycemia with potentially life-threatening consequences for the patient.
The vulnerabilities were discovered by medical device researcher Jay Radcliffe from security firm Rapid7. Animas Corporation, which is owned by J&J, was informed of the vulnerabilities and has been working with Radcliffe to develop mitigations to prevent the devices being hijacked by malicious actors.
The Animas OneTouch Ping device includes a wireless remote control that patients can use to administer insulin without having to touch the device itself. The insulin pump and remote control are paired to ensure that only a pump’s accompanying remote control can be used to trigger a dose of insulin.
Radcliffe discovered that the paired devices communicate in the 900mhz band using a proprietary management protocol; however, communications between the wireless device and the insulin pump are transmitted in cleartext and are not encrypted.
This would enable the communications between the remote control and the device to be intercepted. The device could leak de-identified blood glucose results and details of insulin dosages, which could be intercepted by an individual in close proximity to the patient.
The second vulnerability discovered by Radcliffe is more serious as it could be exploited by an attacker to remotely deliver insulin. The devices are paired to prevent another patient’s remote device from triggering insulin delivery in another patient’s insulin pump. However, the process used to pair devices is weak. According to Radcliffe, “The pairing process is done through a 5 packet exchange in the clear where the two devices exchange serial numbers and some header information.” Radcliffe explains that “The 5 packets are identical every time pairing process is done between the remote and insulin pump…..attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump.” This would allow the attacker to deliver additional insulin doses.
Radcliffe also discovered that “communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks.” An attacker could therefore conduct a replay attack; delivering additional doses of insulin to induce a hypoglycemic attack.
Radcliffe was able to demonstrate that an attack of this nature was possible. The range of the remote control is approximately 25 feet, although if an attacker had a sufficiently powerful remote control, the attack could be performed from some distance. According to Radcliffe, “attacks could be performed from one to two kilometers (0.62 to 1.24 miles) away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.”
Radcliffe was careful to point out in the blog post announcing the vulnerabilities that they should not be a cause for panic as the risk of mass exploitation of the vulnerabilities is low. J&J also confirmed to patients that the risk is extremely low and no reports of attempted attacks have been received.
According to Reuters, J&J has mailed warnings to 114,000 patients in the United States to alert them to the flaw. This will allow them to make a decision about whether to continue using the devices. J&J has also provided patients with details of steps that can be taken to fix the problem. Two methods of securing the devices include stopping use of the wireless remote or programming the pump not to exceed a maximum insulin dose, instructions for which were included in the letter.
The security issue is believed to only affect the Animas OneTouch Ping device, although Radcliffe is also investigating other Animas devices to check for vulnerabilities.
While it is unusual for a medical device manager to inform patients of a security risk that could be exploited by hackers, the move is unsurprising following the handling of the alleged vulnerabilities discovered in certain St. Jude Medical devices.
Security researchers at MedSec claimed to have discovered vulnerabilities in St. Jude Medical devices, but bypassed the device manufacturer and provided the information to short-selling firm Muddy Waters. That method of disclosure benefited MedSec and Muddy Waters; however, the move has been criticized for placing profit before patient safety. MedSec claimed the decision not to report the vulnerabilities to St. Jude Medical was to ensure that action was taken to keep patients safe and raise awareness of the problems.
However, in the case of Radcliffe’s discovery, the vulnerabilities were handled in a more conventional and ethical fashion.
Radcliffe discovered the vulnerabilities in April 2016 and Rapid7 first notified Animas and J&J of the security vulnerabilities. The vulnerabilities were then reported to the U.S. Food and Drug Administration, CERT, and the Department of Homeland Security. Rapid7 also worked closely with Animas/J&J to verify the vulnerabilities existed and ensured that mitigations were developed prior to disclosure to the public. That method of reporting security vulnerabilities in medical devices matches the draft guidance issued by the FDA earlier this year.