Medical company warns customers about vulnerability in insulin pump
US company Johnson & Johnson, which supplies pharmaceutical and medical products, has warned customers about a vulnerability in an insulin pump. This can cause an overdose of insulin to be delivered, resulting in the death of a user.
The company has informed its customers in a letter. The vulnerability was discovered in April by a researcher from the security company Rapid7. The investigator released details of the leak on Tuesday. It concerns the Animas OneTouch Ping insulin pump, which according to Reuters came on the market in 2008. It uses a wireless remote control that allows users to self-administer insulin. The researcher found that the signal to the pump can be spoofed, which could allow an attacker to overdose. Both Johnson & Johnson and the researcher estimate the risk of the vulnerability as ‘low’. Reuters claims based on ‘medical experts’ that this is the first time a medical company has issued such a warning. However, it is not the first time that a vulnerability in an insulin pump has been identified, in 2011 this was the case with Medtronic devices.
In fact, the vulnerability consists of three different vulnerabilities, with attributes cve-2016-5084, cve-2016-5085 and cve-2016-5086. The first vulnerability lies in the fact that data traffic between the pump and the remote control is sent unencrypted via radio signals. A third party can therefore collect this data. The second leak concerns the pairing process between the pump and the remote control. A key is created, so that the pump cannot receive signals from other remote controls. This key is also sent unencrypted, so that it can also be intercepted, writes the Rapid7 researcher who is a diabetic himself.
The last vulnerability has to do with the fact that there is no protection against a so-called replay attack. In doing so, an attacker could catch and re-send a command sent to the pump. This is possible because the commands sent do not have incremental IDs or other unique properties. The researcher writes that an attack can be carried out at a distance of up to two kilometers by amplifying the radio signal. Normally, the remote control works up to about ten meters.
Johnson & Johnson advises its customers in the letter to disable the pump’s radio function if they are concerned about the vulnerabilities. They could also set a limit on the insulin dose. The risk of an attack would be low, as an attacker would need to have “technical knowledge and advanced equipment” and be close to the pump. The pump is also not connected to the internet. The researcher himself states that the best solution is to use encryption to secure the connection between pump and remote control.