Patients who use insulin pumps made by Johnson & Johnson are being warned this week that vulnerabilities in the devices could be exploited to trigger an overdose.
The bugs exist in OneTouch Ping, a medical device made by Animas Corp. – a subsidiary of Johnson & Johnson – which allows diabetic patients to self-administer insulin.
Both the device manufacturer and the researcher who discovered the bugs are stressing that the probability of the flaws being exploited in the wild are relatively low, as an attacker would have to be in close proximity to the device and have the technical acumen.
The vulnerabilities all stem from the fact that the device’s wireless RF protocol uses clear text to communicate. That means anyone sniffing the 900 MHz band could glean information, like a patient’s blood glucose results or insulin dosage data. More troubling, a nearby attacker could use the protocol to spoof the device’s blood glucose meter and cause unauthorized insulin injections, potentially contributing to a hypoglycemic reaction.
Jay Radcliffe, a security researcher at Rapid7, who has Type I diabetes, uncovered the vulnerabilities back in April and disclosed them in a blog post Tuesday morning.
In addition to the remote and pump transmitting data in clear text, Radcliffe found two other glaring issues in the OneTouch Ping. The pairing process used by the pump and remote uses the same five packets to generate a “key” each time, making encryption impossible and making it easier to sniff the key, Radcliffe said.
Additionally, because of the way the pump and remote communicate, there’s no way to defend against replay attacks – attacks in which valid data transmissions can be maliciously repeated or delayed – Radcliffe said. There’s no sequence numbers or timestamps to help verify the order of packets of received information.
“Because of this, attackers can capture remote transmissions and replay them later to perform an insulin bolus without special knowledge, which can potentially cause them to have hypoglycemic reaction,” Radcliffe writes.
The last vulnerability, the lack of replay prevention, could allow an attacker to carry out an exploit from a “considerable distance,” according to Rapid7.
If an attacker used radio transmission equipment, they could potentially carry out an attack from “one to two kilometers away.” The normal distance between the remote and pump is about 10 feet, according to the OneTouch Ping owner booklet. (.PDF)
“It is believed that the weakness in this protocol would allow an attacker to perform a spoofed remote attack from a considerable distance from the user/patient. This would be done by a sufficiently powered remote sending commands to the pump in the blind, without needing to hear the acknowledgement packets,” Radcliffe writes.
Animas began sending letters (.PDF) to its customers this week informing them of the vulnerabilities and steps to mitigate them.
The company is telling users concerned about their security that they can disable the pump’s RF feature and enter their blood glucose readings manually. Users can also program the device to either limit the amount of bolus insulin that can be delivered or warn them if a dose has been initiated by the meter remote, according to Animas.
Rapid7 points out that if the device used industry standard encryption with a unique key pair, it could mitigate the issues too.
A spokesperson for Animas told Threatpost on Tuesday that since the device isn’t connected to the internet, it’s not possible to patch the vulnerabilities. Instead, the company is urging users to implement one of the aforementioned safeguards to ensure the pump and remains safe and reliable.
News of the vulnerabilities comes as both the Federal Drug Administration and the Department of Homeland Security are looking into claims that devices made by St. Jude, a Minnesota-based medical device company, are fraught with vulnerabilities.
The investigation was prompted after Muddy Waters, an investment firm, issued a report based on research carried out by the medical device security firm MedSec in late August warning of critical bugs in pacemakers, defibrillators, and other devices manufactured by St. Jude Medical. MedSec got a lot of heat for disclosing the bugs to Muddy Waters, instead of St. Jude, as it was doing so in an attempt to short St. Jude’s stock and recoup research costs. The medical device manufacturer contested the allegations and sued both companies in early September.
Radcliffe has highlighted medical device security in the past; at DEFCON in 2011 he demonstrated how he could tweak the dosage levels on his own insulin pump remotely. That hack ultimately prompted two senior members of the House Energy & Commerce Committee to call on the Government Accountability Office (GAO) to further investigate wireless medical device security. The research around the OneTouch Ping devices harkens back to Radcliffe’s earlier research and similar research done by Barnaby Jack in 2011 on Medtronic insulin pumps, devices that also failed to use encryption.
In a statement provided to Threatpost from the FDA, the agency confirmed that it was aware of the vulnerabilities throughout the coordinated disclosure process, and applauded both Johnson & Johnson and Rapid7 for following the draft guidance on postmarket management of cybersecurity in medical devices it issued in January.
“This is the proactive behavior the FDA has been looking to see from the medical device manufacturer and research community and demonstrates the collaborative manner in which vulnerabilities can be addressed in a way that best protects patients. The FDA applauds these efforts and will continue to encourage this type of coordinated disclosure moving forward,” the FDA said.
The agency issued the guidelines in hopes that manufacturers could address risks in devices before and after they’re released. The document encouraged companies to adopt a risk management program, a vulnerability disclosure policy, and deploy mitigations that can identify risk early and prior to exploitation.
The agency stressed in 2013, in the wake of research by Radcliffe and Jack, that medical devices that can be implanted or worn on the body and involve RF wireless technology should securely transmit data. The agency urged manufacturers to “include protocols that maintain the security of the communications while avoiding known shortcomings of existing older protocols,” and use the latest “up-to-date wireless encryption.”