Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:10 PM
Connect Directly

Researcher Roots Out Security Flaws In Insulin Pumps

Jay Radcliffe, researcher and diabetic who found the flaws in Johnson & Johnson Animas OneTouch Ping insulin pump, 'would not hesitate' to allow his own children be treated by the device if they were diabetic and advised to do so by physicians.

Three security vulnerabilities in a popular insulin pump were revealed today, but the researcher who discovered them doesn't want you to worry about it too much. 

The problems in the Animas OneTouch Ping wireless insulin pump were discovered by Jay Radcliffe, security researcher at Rapid7 and himself a Type I diabetic. The vulnerabilities all relate to insufficient security protocols still common in Internet of Things devices, including cleartext communications. Attackers could ultimately exploit the weak security to issue extra doses of insulin and induce hypoglycemic reactions.  

Johnson & Johnson is the parent company of Animas.

However, Radcliffe's blog announcing the vulnerabilities included nearly as many cautions about not overreacting to cybersecurity alerts as it did to cybersecurity alerts. "If any of my children became diabetic and the medical staff recommended putting them on a pump," he wrote, "I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is."

The Animas OneTouch Ping has an optional wireless remote function. Radcliffe found CVE-2016-5084, which covers that communications between the pump and the wireless remote are communicated in cleartext, not encrypted. Blood glucose results and insulin dosage data is thus freely available to eavesdroppers; identity information is not included in the data communicated. 

Remotes and pumps are "paired" to "prevent the pump from taking commands from other remotes that it might accidentally pick up transmissions from," but as CVE-2016-5085 describes, the pairing process is weak. To pair, the devices conduct a five-packet exchange in the clear -- the same five packets every time. This key is therefore easy to sniff and spoof.

"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," he wrote.

The third flaw, CVE-2016-5086, is a lack of replay attack prevention or transmission. As Radcliffe explained in the blog, "Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks."

This makes it relatively trivial for an attacker to - by replaying previous transmissions - issue additional doses of insulin, and induce a hypoglycemic reaction.

This vulnerability theoretically may also enable an attack to be launched from a considerable distance. The range of the remote and pump as designed is roughly 30 feet, yet with some off-the-shelf radio transmission equipment and directional antenna, an attacker can regularly exceed 1 to 2 kilometers away from the patient.

The vulnerabilities can be mitigated by implementing industry-standard encryption with a unique key pair or by disabling the radio (RF) functionality of the device. (All functions can be performed through the interface on the pump itself, Radcliffe says.) Animas provides further suggestions for patients here, and in mailed letters.  

"Most people are at limited risk of any of the issues related to this research," wrote Radcliffe. "These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk ... Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash."

Rapid7 first informed Animas and its parent company Johnson & Johnson of the vulnerabilities in April. CERT, the Department of Homeland Security, and the Food & Drug Administration were also informed. Rapid7 worked with Animas on validating the vulnerabilities and providing mitigations before publicly disclosing the vulnerabilities today. Animas will also be mailing patients information about the flaws and mitigations.

This is all common, established vulnerability disclosure procedure for medical devices but nevertheless noteworthy. Six weeks ago, security company MedSec broke vulnerability disclosure norms, partnering with Muddy Waters to short-sell medical device manufacturer St. Jude Medical rather than disclose full details of the flaws it claimed to have found.

"Rapid7 is very committed to ethical vendor disclosure like we have here with [Johnson & Johnson]," Radcliffe told Dark Reading. "It is important for the users of these devices to have their health and safety come first." 

Radcliffe said in his blog post that the risk to such devices increases as they evolve and gain Internet connectivity. He said his findings demonstrate the importance of vendors, regulators, and researchers working together to ensure the devices are safe for patients.

With so many medical devices becoming increasingly connected, are we nearing the point at which hospitals need full-time IT and security to respond to issues of availability, confidentiality, or integrity of these devices?

"Yes, very much so," says Radcliffe. "Rapid7 services works with many hospitals and clinics in order to address this exact issue."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mark Potter
Mark Potter,
User Rank: Apprentice
10/18/2016 | 4:29:08 PM
Thanks for the great article Sara... I remember attending the Public Workshop - Collaborative Approaches for Medical Device and Healthcare Cybersecurity, October 21-22, 2014 where Jay sat on a cybersecurity gaps & challenges panel. I remember his comments about medical device security and insulin pumps in particular. It made an impression hearing a security expert explain how he sticks himself with a needle six times a day because medical insulin pumps were not where they needed to be from a security perspective.

We have come a long way thanks to researchers like him and news organiations keeping these issues in the public eye.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.
PUBLISHED: 2020-10-01
The hyperlinks functionality in atlaskit/editor-core in before version 113.1.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability in link targets.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of arbitra...
PUBLISHED: 2020-09-30
An issue was discovered in file_download.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the (supposedly private) attachments linked to these notes by accessing the corresponding file download URL directly.
PUBLISHED: 2020-09-30
An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bug_actiongroup_page.php.