New insulin pump flaws highlights security risks from medical devices

Attackers exploit flaws in the Animas OneTouch Ping insulin pump system to deliver dangerous insulin doses

Medical device manufacturer Animas, a subsidiary of Johnson & Johnson, is warning diabetic patients who use its OneTouch Ping insulin pumps about security issues that could allow hackers to deliver unauthorized doses of insulin.

The vulnerabilities were discovered by Jay Radcliffe, a security researcher at Rapid7 who is a Type I diabetic and user of the pump. The flaws primarily stem from a lack of encryption in the communication between the device's two parts: the insulin pump itself and the meter-remote that monitors blood sugar levels and remotely tells the pump how much insulin to administer.

The pump and the meter use a proprietary wireless management protocol through radio frequency communications that are not encrypted. This exposes the system to several attacks.

First, passive attackers can snoop on the traffic and read the blood glucose results and insulin dosage data. Then, they can trivially spoof the meter to the pump because the key used to pair the two devices is transmitted in clear text.

"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," the Rapid7 researchers said in a blog post.

A third issue is that the pump lacks protection against so-called relay attacks, where a legitimate command is intercepted and then is played back by the attacker at a later time. This allows attackers to perform an insulin bolus without special knowledge, the researchers said.

While the meter-remote is advertised to work from up to 10 meters away, it is technically possible to launch spoofing attacks from much greater distances with more powerful radio transmission gear like that used by ham radio hobbyists.

Animas has published a security notice on its website with recommendations and will also send letters to customers.

The company views the probability of unauthorized access to the One Touch Ping system as very low, saying these attacks "would require technical expertise, sophisticated equipment, and proximity to the pump."

Concerned users can turn off the pump's radio frequency feature, but patients will then have to enter the blood glucose readings manually because the meter will no longer be able to transmit them.

Additionally, the pump can be programmed to limit the amount of bolus insulin that can be delivered at once, over a two-hour period and per day. Attempts to exceed these settings will trigger a pump alarm and prevent bolus insulin delivery, Animas said.

The high or low blood sugar risks a diabetic has to deal with every day are more serious than the risks introduced by these vulnerabilities, Radcliffe said. Removing an insulin pump from a diabetic over the security issues would be comparable to never flying in an airplane because it might crash, he said.

However, "as these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically," the researcher warned. "This research highlights why it is so important to wait for vendors, regulators, and researchers to fully work on these highly complex devices."

Before going public, Radcliffe worked with Animas and parent company, Johnson & Johnson, to help them understand the flaws and develop mitigations. This is in stark contrast to researchers from a company called MedSec who recently chose to share information about vulnerabilities in heart devices from St. Jude Medical with an investment research firm so the firm could short the device maker's stock.

The security of medical devices has been a hot topic in the security research community for the past several years. Some vendors have taken notice and have launched vulnerability coordination programs, and the U.S. Food and Drug Administration actively encourages medical device manufacturers to work with security researchers.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags medical

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?