Vulnerabilities / Threats

06:10 PM
Connect Directly

Researcher Roots Out Security Flaws In Insulin Pumps

Jay Radcliffe, researcher and diabetic who found the flaws in Johnson & Johnson Animas OneTouch Ping insulin pump, 'would not hesitate' to allow his own children be treated by the device if they were diabetic and advised to do so by physicians.

Three security vulnerabilities in a popular insulin pump were revealed today, but the researcher who discovered them doesn't want you to worry about it too much. 

The problems in the Animas OneTouch Ping wireless insulin pump were discovered by Jay Radcliffe, security researcher at Rapid7 and himself a Type I diabetic. The vulnerabilities all relate to insufficient security protocols still common in Internet of Things devices, including cleartext communications. Attackers could ultimately exploit the weak security to issue extra doses of insulin and induce hypoglycemic reactions.  

Johnson & Johnson is the parent company of Animas.

However, Radcliffe's blog announcing the vulnerabilities included nearly as many cautions about not overreacting to cybersecurity alerts as it did to cybersecurity alerts. "If any of my children became diabetic and the medical staff recommended putting them on a pump," he wrote, "I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is."

The Animas OneTouch Ping has an optional wireless remote function. Radcliffe found CVE-2016-5084, which covers that communications between the pump and the wireless remote are communicated in cleartext, not encrypted. Blood glucose results and insulin dosage data is thus freely available to eavesdroppers; identity information is not included in the data communicated. 

Remotes and pumps are "paired" to "prevent the pump from taking commands from other remotes that it might accidentally pick up transmissions from," but as CVE-2016-5085 describes, the pairing process is weak. To pair, the devices conduct a five-packet exchange in the clear -- the same five packets every time. This key is therefore easy to sniff and spoof.

"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," he wrote.

The third flaw, CVE-2016-5086, is a lack of replay attack prevention or transmission. As Radcliffe explained in the blog, "Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks."

This makes it relatively trivial for an attacker to - by replaying previous transmissions - issue additional doses of insulin, and induce a hypoglycemic reaction.

This vulnerability theoretically may also enable an attack to be launched from a considerable distance. The range of the remote and pump as designed is roughly 30 feet, yet with some off-the-shelf radio transmission equipment and directional antenna, an attacker can regularly exceed 1 to 2 kilometers away from the patient.

The vulnerabilities can be mitigated by implementing industry-standard encryption with a unique key pair or by disabling the radio (RF) functionality of the device. (All functions can be performed through the interface on the pump itself, Radcliffe says.) Animas provides further suggestions for patients here, and in mailed letters.  

"Most people are at limited risk of any of the issues related to this research," wrote Radcliffe. "These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk ... Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash."

Rapid7 first informed Animas and its parent company Johnson & Johnson of the vulnerabilities in April. CERT, the Department of Homeland Security, and the Food & Drug Administration were also informed. Rapid7 worked with Animas on validating the vulnerabilities and providing mitigations before publicly disclosing the vulnerabilities today. Animas will also be mailing patients information about the flaws and mitigations.

This is all common, established vulnerability disclosure procedure for medical devices but nevertheless noteworthy. Six weeks ago, security company MedSec broke vulnerability disclosure norms, partnering with Muddy Waters to short-sell medical device manufacturer St. Jude Medical rather than disclose full details of the flaws it claimed to have found.

"Rapid7 is very committed to ethical vendor disclosure like we have here with [Johnson & Johnson]," Radcliffe told Dark Reading. "It is important for the users of these devices to have their health and safety come first." 

Radcliffe said in his blog post that the risk to such devices increases as they evolve and gain Internet connectivity. He said his findings demonstrate the importance of vendors, regulators, and researchers working together to ensure the devices are safe for patients.

With so many medical devices becoming increasingly connected, are we nearing the point at which hospitals need full-time IT and security to respond to issues of availability, confidentiality, or integrity of these devices?

"Yes, very much so," says Radcliffe. "Rapid7 services works with many hospitals and clinics in order to address this exact issue."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mark Potter
Mark Potter,
User Rank: Apprentice
10/18/2016 | 4:29:08 PM
Thanks for the great article Sara... I remember attending the Public Workshop - Collaborative Approaches for Medical Device and Healthcare Cybersecurity, October 21-22, 2014 where Jay sat on a cybersecurity gaps & challenges panel. I remember his comments about medical device security and insulin pumps in particular. It made an impression hearing a security expert explain how he sticks himself with a needle six times a day because medical insulin pumps were not where they needed to be from a security perspective.

We have come a long way thanks to researchers like him and news organiations keeping these issues in the public eye.
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.