Rapid7 and Johnson & Johnson disclosed three vulnerabilities in the Animas OneTouch Ping insulin pump system, flaws that could be remotely exploited. However, the attack is sophisticated, and both say the risk of exploitation is “relatively low.”
OneTouch Ping is a medical device that comes with a wireless remote control patients can use to deliver insulin instead of accessing the device under their clothes. The Johnson & Johnson Animas device is described as a “two-part system”: the pump and a meter remote, which communicates wirelessly via RF communication “to deliver insulin from the pump.”
The flaws were discovered by Jay Radcliffe, a security researcher at Rapid7 and a diabetic who has previously disclosed vulnerabilities in an insulin device. This time, Radcliffe discovered the OneTouch Ping insulin pump system doesn’t use encryption to communicate. An attacker could spoof communications between the pump and the remote in order to force doses of insulin.
Rapid7 explained that because the communications are in cleartext, “a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.”
Johnson & Johnson took an unprecedented step, since the manufacturer is the first to issue a warning about cyber vulnerabilities.
According to Reuters, Johnson & Johnson sent letters (pdf) to doctors and about 114,000 patients in the United States and Canada. It said, “The probability of unauthorized access to the OneTouch Ping system is extremely low.”
Animus was able to exploit the vulnerabilities disclosed in Radcliffe’s research and confirmed “that a hacker could order the pump to dose insulin from a distance of up to 25 feet.”
Rapid7 said, “It is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.”
Not wanting non-technical diabetics to panic, Radcliffe clarified, “Most people are at limited risk of any of the issues related to this research. These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the RF/remote features of the pump and eliminate that risk.”
He advised against freaking out and removing the pump, since “removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.”
He added that if his kids were to become diabetics, then he “would not hesitate to put them on a OneTouch Ping. It is not perfect, but nothing is. In this process I have worked with Animas and its parent company, Johnson & Johnson, and know that they are focused on taking care of the patient and doing what is right.”
Radcliffe did 90 percent of his research on the device that was attached to him for years. He wants medical devices to be safe in the future, urging vendors, regulators and researchers to work together.
“As these devices get more advanced and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically,” he said.
Rapid7 first reached out to the vendor in April. In September, Johnson & Johnson provided mitigations. Today, October 4, the vulnerabilities were revealed to the public.
Radcliffe told Reuters that OneTouch Ping users should follow the steps in the letter from Johnson & Johnson in order to be safe. It explained how to turn off the pump’s radio frequency feature. Users who wish to leave RF on can limit the amount of bolus insulin that can be delivered, as well as turn on vibrating alerts; the alerts notify a patient that a dose is being initiated by the meter remote and gives them an option to cancel the dose.
You can find Rapid7’s full findings about the “communications transmitted in cleartext, weak pairing between remote and pump, and lack of replay attack prevention or transmission assurance” here. Additionally, there is a demonstration video of an attack on the Animas OneTouch Ping.