These diabetes pumps obey unencrypted radio commands – which is, frankly, f*%king stupid
Risk of malicious injections 'extremely low' allegedly
Johnson & Johnson's Animas division has issued a letter [PDF] warning diabetes patients using its OneTouch Ping insulin pump that the device could be triggered remotely.
Discounting the possibility of an attack as "extremely low," the company nonetheless says that "a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system."
The OneTouch Ping consists of two components: the Insulin Pump, which delivers doses of insulin to patients, and the Meter Remote, which monitors the patient's blood glucose level and can signal the Insulin Pump from up to 10 feet away to inject the patient.
Were a diabetes patient to be victimized by such an attack, he or she could be overdosed with insulin. A 2013 article in the journal Clinical Toxicology says insulin dosing errors represent one of the most dangerous medication issues because of the risk of hypoglycemia.
The Animas letter advises customers who are concerned about the flaw to disable the pump's radio as a precaution. Doing so, however, necessitates entering meter readings into the pump manually. The letter also recommends turning on the Vibrating Alert feature, because it could be useful to be told when insulin is about to be administered, and to set a limit on insulin doses over a given period of time.
In an email, Bridget Kimmel, senior manager for communications and public affairs for Johnson & Johnson Diabetes Solutions, said Animas has sold approximately 114,000 OneTouch Ping devices.
"Since Animas Corporation launched the product in the US in 2008 and Canada in 2009, there were zero patient complaints (and no patients affected) related to this issue prior to Jay Radcliffe of Rapid7 reporting it through the Johnson & Johnson product vulnerability disclosure reporting process," said Kimmel.
An Animas statement says patients and healthcare providers have been contacted about this issue. "Animas continues to work with the appropriate regulatory bodies and security experts on this issue as we are always evaluating ways to further ensure patient safety and enhance security," the company said.
On its website, Animas cites a study that suggests its device performs better than the competing Medtronic Paradigm Bolus Wizard. But the two devices have something in common: In 2011, cybersecurity researcher Jay Radcliffe revealed flaws in several Medtronic insulin pump models. At the time, Medtronic too characterized the risk of abuse as "extremely low."
Following the vulnerabilities revealed in 2011 and the 2012 demonstration of a pacemaker hack by Barnaby Jack at the Ruxcon Breakpoint security conference in Melbourne, Australia, the US Food and Drug Administration in 2013 began formulating cybersecurity guidance for medical device makers. The guidelines were released in 2014. And the FDA released a new set of proposed guidelines at the beginning of this year.
Given that security tends to add complexity and cost to technology products, the chance that companies will adopt the FDA's cybersecurity guidelines fully can be considered to be extremely low. ®