Menu
New insulin pump flaws highlights security risks from medical devices

New insulin pump flaws highlights security risks from medical devices

Attackers exploit flaws in the Animas OneTouch Ping insulin pump system to deliver dangerous insulin doses

Medical device manufacturer Animas, a subsidiary of Johnson & Johnson, is warning diabetic patients who use its OneTouch Ping insulin pumps about security issues that could allow hackers to deliver unauthorized doses of insulin.

The vulnerabilities were discovered by Jay Radcliffe, a security researcher at Rapid7 who is a Type I diabetic and user of the pump. The flaws primarily stem from a lack of encryption in the communication between the device's two parts: the insulin pump itself and the meter-remote that monitors blood sugar levels and remotely tells the pump how much insulin to administer.

The pump and the meter use a proprietary wireless management protocol through radio frequency communications that are not encrypted. This exposes the system to several attacks.

First, passive attackers can snoop on the traffic and read the blood glucose results and insulin dosage data. Then, they can trivially spoof the meter to the pump because the key used to pair the two devices is transmitted in clear text.

"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," the Rapid7 researchers said in a blog post.

A third issue is that the pump lacks protection against so-called relay attacks, where a legitimate command is intercepted and then is played back by the attacker at a later time. This allows attackers to perform an insulin bolus without special knowledge, the researchers said.

While the meter-remote is advertised to work from up to 10 meters away, it is technically possible to launch spoofing attacks from much greater distances with more powerful radio transmission gear like that used by ham radio hobbyists.

Animas has published a security notice on its website with recommendations and will also send letters to customers.

The company views the probability of unauthorized access to the One Touch Ping system as very low, saying these attacks "would require technical expertise, sophisticated equipment, and proximity to the pump."

Concerned users can turn off the pump's radio frequency feature, but patients will then have to enter the blood glucose readings manually because the meter will no longer be able to transmit them.

Additionally, the pump can be programmed to limit the amount of bolus insulin that can be delivered at once, over a two-hour period and per day. Attempts to exceed these settings will trigger a pump alarm and prevent bolus insulin delivery, Animas said.

The high or low blood sugar risks a diabetic has to deal with every day are more serious than the risks introduced by these vulnerabilities, Radcliffe said. Removing an insulin pump from a diabetic over the security issues would be comparable to never flying in an airplane because it might crash, he said.

However, "as these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically," the researcher warned. "This research highlights why it is so important to wait for vendors, regulators, and researchers to fully work on these highly complex devices."

Before going public, Radcliffe worked with Animas and parent company, Johnson & Johnson, to help them understand the flaws and develop mitigations. This is in stark contrast to researchers from a company called MedSec who recently chose to share information about vulnerabilities in heart devices from St. Jude Medical with an investment research firm so the firm could short the device maker's stock.

The security of medical devices has been a hot topic in the security research community for the past several years. Some vendors have taken notice and have launched vulnerability coordination programs, and the U.S. Food and Drug Administration actively encourages medical device manufacturers to work with security researchers.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags medical

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments