Medical device manufacturer Animas, a subsidiary of Johnson & Johnson, is warning diabetic patients who use its OneTouch Ping insulin pumps about security issues that could allow hackers to deliver unauthorized doses of insulin.
The vulnerabilities were discovered by Jay Radcliffe, a security researcher at Rapid7 who is a Type I diabetic and user of the pump. The flaws primarily stem from a lack of encryption in the communication between the device's two parts: the insulin pump itself and the meter-remote that monitors blood sugar levels and remotely tells the pump how much insulin to administer.
The pump and the meter use a proprietary wireless management protocol through radio frequency communications that are not encrypted. This exposes the system to several attacks.
First, passive attackers can snoop on the traffic and read the blood glucose results and insulin dosage data. Then, they can trivially spoof the meter to the pump because the key used to pair the two devices is transmitted in clear text.
"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," the Rapid7 researchers said in a blog post.
A third issue is that the pump lacks protection against so-called relay attacks, where a legitimate command is intercepted and then is played back by the attacker at a later time. This allows attackers to perform an insulin bolus without special knowledge, the researchers said.
While the meter-remote is advertised to work from up to 10 meters away, it is technically possible to launch spoofing attacks from much greater distances with more powerful radio transmission gear like that used by ham radio hobbyists.
Animas has published a security notice on its website with recommendations and will also send letters to customers.
The company views the probability of unauthorized access to the One Touch Ping system as very low, saying these attacks "would require technical expertise, sophisticated equipment, and proximity to the pump."
Concerned users can turn off the pump's radio frequency feature, but patients will then have to enter the blood glucose readings manually because the meter will no longer be able to transmit them.
Additionally, the pump can be programmed to limit the amount of bolus insulin that can be delivered at once, over a two-hour period and per day. Attempts to exceed these settings will trigger a pump alarm and prevent bolus insulin delivery, Animas said.
The high or low blood sugar risks a diabetic has to deal with every day are more serious than the risks introduced by these vulnerabilities, Radcliffe said. Removing an insulin pump from a diabetic over the security issues would be comparable to never flying in an airplane because it might crash, he said.
However, "as these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically," the researcher warned. "This research highlights why it is so important to wait for vendors, regulators, and researchers to fully work on these highly complex devices."
Before going public, Radcliffe worked with Animas and parent company, Johnson & Johnson, to help them understand the flaws and develop mitigations. This is in stark contrast to researchers from a company called MedSec who recently chose to share information about vulnerabilities in heart devices from St. Jude Medical with an investment research firm so the firm could short the device maker's stock.
The security of medical devices has been a hot topic in the security research community for the past several years. Some vendors have taken notice and have launched vulnerability coordination programs, and the U.S. Food and Drug Administration actively encourages medical device manufacturers to work with security researchers.