Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:10 PM
Connect Directly

Researcher Roots Out Security Flaws In Insulin Pumps

Jay Radcliffe, researcher and diabetic who found the flaws in Johnson & Johnson Animas OneTouch Ping insulin pump, 'would not hesitate' to allow his own children be treated by the device if they were diabetic and advised to do so by physicians.

Three security vulnerabilities in a popular insulin pump were revealed today, but the researcher who discovered them doesn't want you to worry about it too much. 

The problems in the Animas OneTouch Ping wireless insulin pump were discovered by Jay Radcliffe, security researcher at Rapid7 and himself a Type I diabetic. The vulnerabilities all relate to insufficient security protocols still common in Internet of Things devices, including cleartext communications. Attackers could ultimately exploit the weak security to issue extra doses of insulin and induce hypoglycemic reactions.  

Johnson & Johnson is the parent company of Animas.

However, Radcliffe's blog announcing the vulnerabilities included nearly as many cautions about not overreacting to cybersecurity alerts as it did to cybersecurity alerts. "If any of my children became diabetic and the medical staff recommended putting them on a pump," he wrote, "I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is."

The Animas OneTouch Ping has an optional wireless remote function. Radcliffe found CVE-2016-5084, which covers that communications between the pump and the wireless remote are communicated in cleartext, not encrypted. Blood glucose results and insulin dosage data is thus freely available to eavesdroppers; identity information is not included in the data communicated. 

Remotes and pumps are "paired" to "prevent the pump from taking commands from other remotes that it might accidentally pick up transmissions from," but as CVE-2016-5085 describes, the pairing process is weak. To pair, the devices conduct a five-packet exchange in the clear -- the same five packets every time. This key is therefore easy to sniff and spoof.

"This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction," he wrote.

The third flaw, CVE-2016-5086, is a lack of replay attack prevention or transmission. As Radcliffe explained in the blog, "Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks."

This makes it relatively trivial for an attacker to - by replaying previous transmissions - issue additional doses of insulin, and induce a hypoglycemic reaction.

This vulnerability theoretically may also enable an attack to be launched from a considerable distance. The range of the remote and pump as designed is roughly 30 feet, yet with some off-the-shelf radio transmission equipment and directional antenna, an attacker can regularly exceed 1 to 2 kilometers away from the patient.

The vulnerabilities can be mitigated by implementing industry-standard encryption with a unique key pair or by disabling the radio (RF) functionality of the device. (All functions can be performed through the interface on the pump itself, Radcliffe says.) Animas provides further suggestions for patients here, and in mailed letters.  

"Most people are at limited risk of any of the issues related to this research," wrote Radcliffe. "These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk ... Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash."

Rapid7 first informed Animas and its parent company Johnson & Johnson of the vulnerabilities in April. CERT, the Department of Homeland Security, and the Food & Drug Administration were also informed. Rapid7 worked with Animas on validating the vulnerabilities and providing mitigations before publicly disclosing the vulnerabilities today. Animas will also be mailing patients information about the flaws and mitigations.

This is all common, established vulnerability disclosure procedure for medical devices but nevertheless noteworthy. Six weeks ago, security company MedSec broke vulnerability disclosure norms, partnering with Muddy Waters to short-sell medical device manufacturer St. Jude Medical rather than disclose full details of the flaws it claimed to have found.

"Rapid7 is very committed to ethical vendor disclosure like we have here with [Johnson & Johnson]," Radcliffe told Dark Reading. "It is important for the users of these devices to have their health and safety come first." 

Radcliffe said in his blog post that the risk to such devices increases as they evolve and gain Internet connectivity. He said his findings demonstrate the importance of vendors, regulators, and researchers working together to ensure the devices are safe for patients.

With so many medical devices becoming increasingly connected, are we nearing the point at which hospitals need full-time IT and security to respond to issues of availability, confidentiality, or integrity of these devices?

"Yes, very much so," says Radcliffe. "Rapid7 services works with many hospitals and clinics in order to address this exact issue."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mark Potter
Mark Potter,
User Rank: Apprentice
10/18/2016 | 4:29:08 PM
Thanks for the great article Sara... I remember attending the Public Workshop - Collaborative Approaches for Medical Device and Healthcare Cybersecurity, October 21-22, 2014 where Jay sat on a cybersecurity gaps & challenges panel. I remember his comments about medical device security and insulin pumps in particular. It made an impression hearing a security expert explain how he sticks himself with a needle six times a day because medical insulin pumps were not where they needed to be from a security perspective.

We have come a long way thanks to researchers like him and news organiations keeping these issues in the public eye.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.