The Animas OneTouch Ping insulin pump contains vulnerabilities that could be exploited by a malicious attacker to remotely trigger an insulin injection.
Security researcher Jay Radcliffe – who is himself a Type I diabetic – discovered the flaws and wrote about his findings.
What Radcliffe discovered was that there were security weaknesses in how the medical device communicated wirelessly. Specifically, a lack of encryption meant that instructions were being sent in cleartext. Combined with weak pairing between the remote and pump, this could open opportunities for remote attackers to spoof the controller and trigger unauthorized insulin injections.
If the user does not cancel the insulin delivery on the pump, there is the potential for an attacker to cause harm and potentially create a hypoglycemic reaction.
Although the risk of widespread exploitation of the flaws is considered relatively low, and no-one should panic, Animas's parent company Johnson & Johnson has issued an advisory to users of the insulin infusion pump:
“We have been notified of a cybersecurity issue with the OneTouch Ping®, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system. We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”
The advice to users?
Well, you can of course mitigate the threat by turning off the pump's radio frequency feature. However, this means that your pump and meter can no longer communicate with each other, and blood glucose levels will need to be entered manually on the pump. That's clearly not an entirely satisfactory solution.
Animas also proposes that OneTouch Ping users enable the vibrating alert feature which will tell them if a dose is being administered remotely, and give them the option of canceling. Also, it's possible to program the OneTouch Ping pump to limit the amount of bolus insulin that can be delivered (either as a maximum or within certain time windows).
These mitigations are all very well, but they aren't a fix for the underlying problem: a failure by the device to use encrypted communications and proper authentication. The lack of an easy method for users to update the devices to improve their security is telling.
I asked Mark James, an ESET security specialist, why he felt vulnerabilities like this were being found in medical equipment:
“Quite often the problem with security in the medical or health industry is financially driven; cost is a major factor both in running and supplying the equipment used. In these instances the biggest factor is often making the equipment attainable for the masses who need it. The security of these products has to be factored into the cost and may even in some cases not be a factor at all. As we work towards an IoT environment where everything has to be connected, securing those devices in some cases is a secondary concern.
"Cost will always be a factor but nowadays security is just as important, the public need to feel safe using quite often the very things that keep them alive."
Despite his discovery, Radcliffe says that he does not believe people with diabetes should use the security concerns as a reason not to use the vulnerable equipment:
"Always take care of your diabetes first. We all know the dangers of high blood sugar and low blood sugar too. These risks often far outweigh the risks highlighted in this research."
"If any of my children became diabetic and the medical staff recommended putting them on a pump, I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is. In this process I have worked with Animas and its parent company, Johnson & Johnson, and know that they are focused on taking care of the patient and doing what is right."