A Boston-based cyber security company has discovered a security vulnerability in Johnson & Johnson's Animas OneTouch Ping insulin pump that could be exploited to overdose a diabetic patient with insulin.
The security flaw of the J&J's insulin pump was discovered by Jay Radcliffe, a diabetic and researcher at the cyber security firm Rapid 7 Inc. According to the analysis report of Radcliffe, the insulin pump system is using cleartext communication, instead of encrypted communication, in its propriety wireless management protocol. Due to this, a hacker with the right tools could remotely attack and spoof the Meter Remote and trigger unauthorized insulin injections.
Furthermore, the communication between the pump and the remote have no sequence numbers, time stamps or any other forms of defense against replay attack, making it possible for attackers to capture the transmission and replay them later to inject a dose of insulin without the knowledge of the user.
"Someone would have to have malicious intent, they would have to want to harm another human being. And they've have to have technical expertise, they've have to have radio antennas and they'd have to be within 25 feet, unobstructed," said Marene Allison, chief information security officer at Johnson & Johnson, in a report from USA Today.
Rapid7 quickly informed the Animas Corporation CERT/CC, the FDA and DHS of their findings. Johnson & Johnson commented that the risk of unauthorized access to the OneTouch Ping insulin system is extremely low. But nevertheless, the company still send letters to doctors and about 114,000 users of the insulin pump in question informing them of the security flaw.
According to the report from Reuters, the letter sent by J&J's are also advising patients using the Animas OneTouch Ping insulin pump, and are still concerned of their safety, to take several precautionary measures to prevent potential attack. These precautionary measures include discontinuing the use of the wireless remote control and programming the pump to limit the maximum insulin dose.