14 DAY TRIAL // People with diabetes that use OneTouch Ping insulin pumps made by Animas, a Johnson & Johnson subsidiary, might want to check their mail in the upcoming days for instructions on how to secure their device against remote hacking.
The device sports three security flaws that allow an attacker to interpose himself between the insulin pump device and its remote controller, sending rogue commands.
If the attacker knows what he's doing, he could trigger an insulin overdose that might lead to hypoglycemic reactions, which sometimes can be fatal for certain diabetes patients.
Researcher says there's no cause for alarm
Rapid7 security researcher Jay Radcliffe, the person who discovered the security flaws, and a diabetic himself, says there's no cause for concern, just yet.
"If you are not technical and read the security advisory, you are probably more than worried. I would be too," Radcliffe said. "This research uncovers a previously unknown risk. [...] These are sophisticated attacks that require being physically close to a pump."
"Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk. [...] If you are concerned, work with your endocrinologist and device vendor to make sure you are making the best choices. Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash."
Main reason for all vulnerabilities: lack of encryption
The issues Radcliffe discovered are related to the way the insulin pump communicates with its remote. The security expert uncovered three problems:
- Communications between the two devices are carried out in cleartext, with no encryption;
- The two devices employ a pump-remote pairing system that reuses the same key every time, also sent in clear text, which can be sniffed and spoofed by any attacker and allow him to pair a rogue remote to the pump;
- The pump doesn't protect against replay attacks, meaning an attacker could record a valid command sent from a legitimate remote and then replay it many times over, every time they want.
The good news is that the attack can't be carried out via the Internet because the pump doesn't work with an Internet connection.
Device settings available to mitigate the attacks
Another good news is that since April, when Radcliffe discovered the issues, the researcher has been working with Animas and Johnson & Johnson to address the problem.
With no way to deliver firmware updates to the devices, Johnson & Johnson is currently notifying all patients via mail about the device's vulnerabilities, and recommending that they turn off the remote's ability to work via RF (radio frequency). Patients can do this themselves by accessing the device's settings panel via Setup -> Advanced -> Meter/10 screen, and selecting "RF = OFF."
In case patients want to use the insulin pump's remote, Johnson & Johnson details a series of settings users need to make to limit the amount of insulin the pump can deliver, while also triggering alerts in case the limit is reached.
More details are available via the company's letter, also sent to patients. A video demonstration of Radcliffe's discoveries is available here. The OneTouch Ping vulnerabilities are tracked as CVE-2016-5084, CVE-2016-5085, and CVE-2016-5086.