Vulnerabilities / Threats

06:10 PM
Connect Directly

Researcher Roots Out Security Flaws In Insulin Pumps

Jay Radcliffe, researcher and diabetic who found the flaws in Johnson & Johnson Animas OneTouch Ping insulin pump, 'would not hesitate' to allow his own children be treated by the device if they were diabetic and advised to do so by physicians.

Three security vulnerabilities in a popular insulin pump were revealed today, but the researcher who discovered them doesn't want you to worry about it too much. 

The problems in the Animas OneTouch Ping wireless insulin pump were discovered by Jay Radcliffe, security researcher at Rapid7 and himself a Type I diabetic. The vulnerabilities all relate to insufficient security protocols still common in Internet of Things devices, including cleartext communications. Attackers could ultimately exploit the weak security to issue extra doses of insulin and induce hypoglycemic reactions.  

Johnson & Johnson is the parent company of Animas.

However, Radcliffe's blog announcing the vulnerabilities included nearly as many cautions about not overreacting to cybersecurity alerts as it did to cybersecurity alerts. "If any of my children became diabetic and the medical staff recommended putting them on a pump," he wrote, "I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is."

The Animas OneTouch Ping has an optional wireless remote function. Radcliffe found CVE-2016-5084, which covers that communications between the pump and the wireless remote are communicated in cleartext, not encrypted. Blood glucose results and insulin dosage data is thus freely available to eavesdroppers; identity information is not included in the data communicated. 

Remotes and pumps are "paired" to "prevent the pump from taking commands from other remotes that it might accidentally pick up transmissions from," but as CVE-2016-5085 describes, the pairing process is weak. To pair, the devices conduct a five-packet exchange in the clear -- the same five packets every time. This key is therefore easy to sniff and spoof.

"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," he wrote.

The third flaw, CVE-2016-5086, is a lack of replay attack prevention or transmission. As Radcliffe explained in the blog, "Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks."

This makes it relatively trivial for an attacker to - by replaying previous transmissions - issue additional doses of insulin, and induce a hypoglycemic reaction.

This vulnerability theoretically may also enable an attack to be launched from a considerable distance. The range of the remote and pump as designed is roughly 30 feet, yet with some off-the-shelf radio transmission equipment and directional antenna, an attacker can regularly exceed 1 to 2 kilometers away from the patient.

The vulnerabilities can be mitigated by implementing industry-standard encryption with a unique key pair or by disabling the radio (RF) functionality of the device. (All functions can be performed through the interface on the pump itself, Radcliffe says.) Animas provides further suggestions for patients here, and in mailed letters.  

"Most people are at limited risk of any of the issues related to this research," wrote Radcliffe. "These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk ... Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash."

Rapid7 first informed Animas and its parent company Johnson & Johnson of the vulnerabilities in April. CERT, the Department of Homeland Security, and the Food & Drug Administration were also informed. Rapid7 worked with Animas on validating the vulnerabilities and providing mitigations before publicly disclosing the vulnerabilities today. Animas will also be mailing patients information about the flaws and mitigations.

This is all common, established vulnerability disclosure procedure for medical devices but nevertheless noteworthy. Six weeks ago, security company MedSec broke vulnerability disclosure norms, partnering with Muddy Waters to short-sell medical device manufacturer St. Jude Medical rather than disclose full details of the flaws it claimed to have found.

"Rapid7 is very committed to ethical vendor disclosure like we have here with [Johnson & Johnson]," Radcliffe told Dark Reading. "It is important for the users of these devices to have their health and safety come first." 

Radcliffe said in his blog post that the risk to such devices increases as they evolve and gain Internet connectivity. He said his findings demonstrate the importance of vendors, regulators, and researchers working together to ensure the devices are safe for patients.

With so many medical devices becoming increasingly connected, are we nearing the point at which hospitals need full-time IT and security to respond to issues of availability, confidentiality, or integrity of these devices?

"Yes, very much so," says Radcliffe. "Rapid7 services works with many hospitals and clinics in order to address this exact issue."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mark Potter
Mark Potter,
User Rank: Apprentice
10/18/2016 | 4:29:08 PM
Thanks for the great article Sara... I remember attending the Public Workshop - Collaborative Approaches for Medical Device and Healthcare Cybersecurity, October 21-22, 2014 where Jay sat on a cybersecurity gaps & challenges panel. I remember his comments about medical device security and insulin pumps in particular. It made an impression hearing a security expert explain how he sticks himself with a needle six times a day because medical insulin pumps were not where they needed to be from a security perspective.

We have come a long way thanks to researchers like him and news organiations keeping these issues in the public eye.
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
PUBLISHED: 2018-10-16
Z-BlogPHP (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.