Johnson and Johnson has disclosed a security vulnerability found within its insulin pumps that could allow hackers to overdose patients.
The issue involves the Animas OneTouch Ping insulin pump system, a popular but older pump with a blood glucose meter that services as a remote control via RF communication. That communication is not encrypted, and Rapid7 researchers were able to intercept messages and alter them to trigger the pump without a user’s knowledge.
“In order to prevent such instances from occurring, encrypted communication between any two endpoints is critical for medical devices, and all IoT devices,” said Aaron Lint, vice president of research for application security company, Arxan, via email.
The issue was responsibly disclosed and J&J is now notifying hospitals and patients of the issue. Users can avoid danger by disabling the radio functionality on the device via the set-up screen. Fortunately, the pump isn’t connected online, so this is purely an over-the-air concern.
Jay Radcliffe, security researcher at Rapid7 and Type I diabetic, urged patients not to panic:
“First, know that we take risks every day. We leave the house. We drive a car. We eat a muffin. We guess the amount of carbs. All entail risk. This research uncovers a previously unknown risk. This is similar to saying that there is risk of an asteroid hitting you, a car accident occurring or miscalculating the amount of insulin for that muffin you ate…These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the RF/remote features of the pump and eliminate that risk.”
Medical hacking that can kill is not a new idea—remember the pacemaker virus? Eve Maler, vice president, Innovation & Emerging Technology, ForgeRock, said via email that while the risk in this case is limited by this 2008 insulin pump's lack of internet "smarts," the news should be a big red flag for the industry.
“Now that more medical devices are connected in 2016, a much more extensive accounting of these risks is needed,” she said. “The internet of things (IoT) won't get many passes when it comes to security breaches. This means we need to know how to authenticate and authorize not only those who use and interact with devices, such as pump wearers and care providers, but also the devices themselves—down to the sensor level—and whether their associations with people have been built up appropriately.”
Photo © Hdc Photo