In brief: A flaw in a wearable insulin pump sold by Johnson & Johnson has the potential to allow a malicious actor to force the device to administer doses of insulin to a patient without their knowledge.
A flaw in a wearable insulin pump sold by Johnson & Johnson has the potential to allow a malicious actor to force the device to administer doses of insulin to a patient without their knowledge, according to security researchers at the firm Rapid7.
The AnimasOneTouch® Ping® Insulin pump uses cleartext communications to send commands wirelessly between a management device, known as a “Meter Remote” and an insulin pump worn by the diabetic patient. The remote provides an easy way for patients to program in insulin doses that the pump delivers. Rapid7 researchers were able to intercept the communications, which uses a proprietary management protocol, reverse engineer it and then spoof the management device to initiate an injection of insulin.
“Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” Rapid7 said in a blog post on Tuesday.
Speaking with The Security Ledger, Rapid7 researcher Jay Radcliffe, who is diabetic, said he became interested in the OneTouch Ping after he was prescribed the device. “I was curious,” Radcliffe said. “And, because I’m a diabetic, I have access to these devices, which not everyone does.”
Radcliffe gained fame for research on his previous insulin pump, which was manufactured by Medtronic. He said he does not use the OneTouch PING device currently.
According to Johnson & Johnson’s website, the OneTouch is a “two-part system” comprised of the pump and the Meter Remote. The two “(communicate) wirelessly to deliver insulin.” The two devices communicate in the 900mhz band using a proprietary management protocol.
Upon inspection, however, Radcliffe discovered that the protocol used to send commands from the Remote to the pump had no security. Messages instructing the pump to inject insulin were not encrypted nor were they unique. That means that a message captured at any time could be replayed later and still be accepted by the device, Radcliffe told Security Ledger.
“Once you record the command you can recreate the sequence – right away or days later,” he said. Animas and Johnson & Johnson’s reliance on the obscurity of their management protocol was a perfect example of “security through obscurity,” Radcliffe said.
Johnson & Johnson acquired Animas in 2006. The OneTouch system was first released in 2008. In a statement, Johnson & Johnson said the OneTouch Ping has “multiple safeguards to protect the integrity of the pump and remains safe and reliable.” Animas is working with “the appropriate regulatory bodies and security experts on this issue as we are always evaluating ways to further ensure patient safety and enhance security,” the company said.
In a letter informing patients of the newly discovered vulnerability, Animas said that the risk of attack using the security hole was “extremely low” and that it has “investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”
A successful attack “would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping® system is not connected to the internet or to any external network. In addition, the system has multiple safeguards to protect its integrity and prevent unauthorized action.”
Radcliffe agreed with that assessment, though he noted that an attacker would only need to stand with around 30 feet (10 meters) of the victim to carry out a successful attack. Special antennas or signal enhancing tools could, however, greatly lengthen the distance from which a successful attack could be carried out, he said. However, the OneTouch is not connected to either cellular networks or the Internet, making a remote, software based attack impossible.
It is not known if a software based “patch” is possible for the pump. Animas outlined a number of mitigations for patients concerned about the possibility of an attack. Among them: disabling the pump’s radio frequency feature. Doing so would prevent any unauthorized commands, but also means that the pump and meter will no longer communicate and blood glucose readings will need to be entered manually on the pump.
[Read more Security Ledger coverage of medical device security.]
Using controls on the pump itself, patients can also limit the amount of bolus insulin that can be delivered, reducing the likelihood of a fatal or dangerous dose. Patients can configure a maximum bolus amount, 2-hour amount, and total daily dose, with attempts to exceed or override these settings triggering a pump alarm. Finally, patients can use a Vibrating Alert feature on the Ping System which notifies the user that a bolus dose is being initiated by the meter remote and gives the patient the option of canceling the bolus.
This is just the latest instance of a serious flaw being discovered in life sustaining medical device hardware. The firm MedSec last month raised similar issues about implantable medical devices manufactured by St. Jude, prompting the Wall Street firm Muddy Waters to bet against (or “short”) St. Jude’s stock.
This time, medical device security experts applauded the cooperation between the device maker and the information security firm. “It sounds like Rapid7 and J&J followed a reasonable vulnerability disclosure process. Based on the evidence I have seen so far, I am impressed with the professionalism and the manner in which the vulnerability was disclosed,” said Kevin Fu, the CEO of Virta Labs and an authority on the security of medical devices.
Fu and other security experts called for more research on the security of medical devices used by the public.
“We should expect a lot more vulnerabilities in medical devices because there’s decades of technical debt.
“Now that more medical devices are connected in 2016, a much more extensive accounting of these risks is needed,” said Eve Maler of the firm Forgerock in an email statement. “The Internet of Things won’t get many passes when it comes to security breaches. This means we need to know how to authenticate and authorize not only those who use and interact with devices, such as pump wearers and care providers, but also the devices themselves — down to the sensor level — and whether their associations with people have been built up appropriately.”
Over time, emerging standards like those from the Association for the Advancement of Medical Instrumentation should result in devices that are designed more securely. That group has published standards that will help manufacturers design security into medical devices rather than bolt it on after the fact, Fu said.