J&J warns insulin pump bugs expose diabetics to remote hacks

Animas, a Johnson & Johnson company and the maker of the OneTouch Ping wireless insulin pump, is warning its diabetic users that flaws in communications between the device and a remote blood glucose meter, could be used to trigger an unauthorized insulin injection. If that injection were not stopped in time, it could cause the wearer to experience a hypoglycemic reaction.

The flaws were discovered by Rapid7 security researcher, Jay Radcliffe, a diabetic himself, who analyzed the equipment and found that communications between the meter and pump were sent unencrypted, or in the clear. Using the vulnerabilities he’s also demonstrated that it is possible to deliver a diabetic an 20 units of insulin, or enough to cause an insulin reaction.

“During the normal course of operation, de-identified blood glucose results and insulin dosage data is being leaked out for eavesdroppers to remotely receive,” Rapid7 explained in an advisory.

A second flaw relates to weak pairing between the remote and pump, which relies on a key that is again transmitted in the clear. Attackers could “trivially” sniff the key that is used to pair the remote and pump and then spoof either device. It’s this flaw that can be used to remotely inject insulin and cause the patient to have a hypoglycemic reaction.

The product also lacks any defenses against so-called “replay attacks” where an attacker captures an authorized transmission and then replays that at a later time, which in the case of an insulin pump and remote meter could cause a hypoglycemic reaction.

Finally, Animas was also using a proprietary management protocol to communicate between meter and pump and that protocol lacked controls to ensure packets are received by each device in a specific sequence.

According to Rapid7, this protocol would allow an attacker to spoof a command to inject insulin at a “considerable distance” from the user.

Radcliffe told CSO Australia via email that using standard radio frequency equipment an attack could be launched from about 10 meters away. That’s substantially less than would be the case if the device was using 802.11 wi-fi, which would support attacks from kilometers away. However, late New Zealand security researcher Barnaby Jack did demonstrate attacks from 90m away in the 900 mHz band — the same band that the OneTouch Ping communicates on.

Still, the security firm believes the vulnerabilities, while potentially serious, should not be cause for panic to users.

This incident may go down as one of the better examples of cooperation between medical device makers and those who report security flaws. It follows the recent controversy over a deal between security firm MedSec and investment research firm Muddy Waters involving the latter taking a short position on medical device maker St. Jude Medical after MedSec found alleged flaws in its pacemakers that would allow a remote hack.

According to Rapid7, Animas was “highly responsive” to its report and is alerting users with recommended actions to mitigate risks.

The security firm also reported the flaws to CERT/CC, the Food and Drug Administration (FDA) and U.S Department of Homeland Security. The FDA generally encourages coordinated disclosure between security researchers while medical device regulations require manufacturers to report flaws to the FDA — but only if they cause death or serious injury.

In January, the FDA issued draft guidance on steps manufacturers should take to address cyber security risks in their devices.

Animas on Tuesday published a letter to OneTouch Ping pump users that does point out relevant sections in the OneTouch Ping’s owners manual that explain how to turn off the pump’s radio frequency feature if they are concerned about a remote attack. That letter will be sent by post to users of the device.

“We have been notified of a cybersecurity issue with the OneTouch Ping, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system. We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security,” Animas states in the letter.

It’s not clear how many users will be notified however Animas gained FDA approval for the insulin pump in 2008 and began selling it that year.