OneTouch Ping insulin pumps manufactured by Johnson & Johnson-owned Animas are plagued by several vulnerabilities that can be exploited by remote hackers to compromise devices and potentially harm the diabetic patients who use them. While the security holes are serious, the risk is considered relatively low and the vendor does not plan on releasing a firmware update.
Rapid7 researcher Jay Radcliffe, who has been a Type I diabetic for 17 years, analyzed Animas’ OneTouch Ping insulin pumps. The product has two main components: the actual insulin pump and a remote that controls the pump’s functions from up to 10 feet away.
The four major vulnerabilities found by Radcliffe in the OneTouch Ping product have been detailed in a Rapid7 blog post and an advisory published by the Department of Homeland Security’s CERT Coordination Center.
The researcher discovered that the remote and the pump communicate over an unencrypted channel (CVE-2016-5084), allowing a man-in-the-middle (MitM) attacker to intercept patient treatment and device data. The vendor pointed out that while some data is exposed, it does not include any personally identifiable information.
Another vulnerability identified by Radcliffe is related to the setup process where the pump is paired with the remote – pairing is needed to prevent the pump from accidentally accepting commands from other remotes. The key used by the devices when they exchange information is based on serial numbers and some header information and it’s transmitted without any form of encryption.
This weak pairing (CVE-2016-5085) allows an attacker to spoof the remote and issue commands to arbitrarily dispense insulin, which could lead to the patient having a hypoglycemic reaction.
The researcher also noticed that OneTouch Ping pumps lack protection against replay (CVE-2016-5086) and spoofing (CVE-2016-5686) attacks. These vulnerabilities can be exploited to capture packets and replay them at a later time, or send spoofed packets with arbitrary commands to the pump. In both cases, the attacker can instruct the device to dispense insulin and potentially harm the user.
The OneTouch Ping pump and its remote are not connected to the Internet so these attacks cannot be carried out over very long distances. However, special radio transmission equipment could allow attacks to be conducted from hundreds of feet and possibly even up to one mile, researchers warned.
While these are serious vulnerabilities, Radcliffe said the risk is relatively low and the goal of the research is to raise awareness, allow users to make informed decisions, and get manufacturers to focus more on security when designing their products.
“Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash,” the expert noted.
Johnson & Johnson, which notified patients and healthcare professionals of Rapid7’s findings via physical mail, said it does not plan on releasing a firmware update to address the vulnerabilities. However, the company has provided instructions on how attacks can be mitigated using various features available in the OneTouch Ping product.
Rapid7’s approach contrasts with the path taken in August by medical device security firm MedSec, which decided to disclose vulnerabilities found in St. Jude Medical products without notifying the vendor. MedSec decided to team up with an investment research company that used the findings as part of an investment strategy, which led to St. Jude filing a lawsuit.