Researcher Roots Out Security Flaws In Insulin Pumps

Jay Radcliffe, researcher and diabetic who found the flaws in Johnson & Johnson Animas OneTouch Ping insulin pump, ‘would not hesitate’ to allow his own children be treated by the device if they were diabetic and advised to do so by physicians.

Three security vulnerabilities in a popular insulin pump were revealed today, but the researcher who discovered them doesn’t want you to worry about it too much. 

The problems in the Animas OneTouch Ping wireless insulin pump were discovered by Jay Radcliffe, security researcher at Rapid7 and himself a Type I diabetic. The vulnerabilities all relate to insufficient security protocols still common in Internet of Things devices, including cleartext communications. Attackers could ultimately exploit the weak security to issue extra doses of insulin and induce hypoglycemic reactions.  

Johnson & Johnson is the parent company of Animas.

However, Radcliffe’s blog announcing the vulnerabilities included nearly as many cautions about not overreacting to cybersecurity alerts as it did to cybersecurity alerts. “If any of my children became diabetic and the medical staff recommended putting them on a pump,” he wrote, “I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is.”

The Animas OneTouch Ping has an optional wireless remote function. Radcliffe found CVE-2016-5084, which covers that communications between the pump and the wireless remote are communicated in cleartext, not encrypted. Blood glucose results and insulin dosage data is thus freely available to eavesdroppers; identity information is not included in the data communicated. 

Remotes and pumps are “paired” to “prevent the pump from taking commands from other remotes that it might accidentally pick up transmissions from,” but as CVE-2016-5085 describes, the pairing process is weak. To pair, the devices conduct a five-packet exchange in the clear — the same five packets every time. This key is therefore easy to sniff and spoof.

“This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction,” he wrote.

The third flaw, CVE-2016-5086, is a lack of replay attack prevention or transmission. As Radcliffe explained in the blog, “Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks.”

This makes it relatively trivial for an attacker to – by replaying previous transmissions – issue additional doses of insulin, and induce a hypoglycemic reaction.

This vulnerability theoretically may also enable an attack to be launched from a considerable distance. The range of the remote and pump as designed is roughly 30 feet, yet with some off-the-shelf radio transmission equipment and directional antenna, an attacker can regularly exceed 1 to 2 kilometers away from the patient.

The vulnerabilities can be mitigated by implementing industry-standard encryption with a unique key pair or by disabling the radio (RF) functionality of the device. (All functions can be performed through the interface on the pump itself, Radcliffe says.) Animas provides further suggestions for patients here, and in mailed letters.  

“Most people are at limited risk of any of the issues related to this research,” wrote Radcliffe. “These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk … Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.”

Rapid7 first informed Animas and its parent company Johnson & Johnson of the vulnerabilities in April. CERT, the Department of Homeland Security, and the Food & Drug Administration were also informed. Rapid7 worked with Animas on validating the vulnerabilities and providing mitigations before publicly disclosing the vulnerabilities today. Animas will also be mailing patients information about the flaws and mitigations.

This is all common, established vulnerability disclosure procedure for medical devices but nevertheless noteworthy. Six weeks ago, security company MedSec broke vulnerability disclosure norms, partnering with Muddy Waters to short-sell medical device manufacturer St. Jude Medical rather than disclose full details of the flaws it claimed to have found.

“Rapid7 is very committed to ethical vendor disclosure like we have here with [Johnson & Johnson],” Radcliffe told Dark Reading. “It is important for the users of these devices to have their health and safety come first.” 

Radcliffe said in his blog post that the risk to such devices increases as they evolve and gain Internet connectivity. He said his findings demonstrate the importance of vendors, regulators, and researchers working together to ensure the devices are safe for patients.

With so many medical devices becoming increasingly connected, are we nearing the point at which hospitals need full-time IT and security to respond to issues of availability, confidentiality, or integrity of these devices?

“Yes, very much so,” says Radcliffe. “Rapid7 services works with many hospitals and clinics in order to address this exact issue.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights