A Rapid7 researcher found out that Johnson & Johnson Animas’ Insulin Pumps can be hacked where attackers can increase the patient’s regular insulin dose, making it an overdose.
Insulin pumps are used by all diabetes patients especially the Animas’ OneTouch Ping is quite popular among diabetics. But Jay Radcliffe of Rapid 7 has a rather alarming revelation to tell.
According to the security firm Rapid7’s security researcher, Radcliffe, the device contains not one, not two but three security flaws that can be exploited by attackers easily and may cause grave consequences.
It starts through remote hacking, the attacker can increase the patient’s regular insulin dose, making it an overdose. This can lead to the generation of hypoglycemic reactions. It must be noted that such reactions can be fatal for the patient.
Due to the security flaws, the attacker can interrupt the connection between the pump device and its remote control unit and can send his own commands causing the dose to be increased to extreme levels.
However, Radcliffe, the one who identified the vulnerabilities, states that as of now there is no need to get worried because his research has revealed a risk that was not known until now and that the attacker has to be physically closer to the pump to conduct the attack. In fact, the attacks can be conducted from remote locations since the devices communicate through a 900MHZ radio frequency. The attacker has to be in a 90m range to carry out the attack if using radio equipment and if the equipment is more powerful, the attacker can launch an attack from 1 to 2 km’s distance.
Radcliffe further stated that:
“Some people will choose to see this as significant, and for that, they can turn off the rf/remote features of the pump and eliminate that risk. […] If you are concerned, work with your endocrinologist and device vendor to make sure you are making the best choices. Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.”
According to the researcher, the way the pump connects and takes commands from its remote controller is the primary cause behind the creation of the flaws. The three flaws, as identified by Radcliffe include: communications are not encrypted and conducted in cleartext format, the same key is used by the pump-remote pairing system that makes it easier to be exploited, commands can easily be replayed by the attacker because the pump isn’t protected from replay attacks. However, since the pumps do not communicate via the internet, therefore, an attacker cannot exploit the device using an internet connection.
Animas, which is a Johnson & Johnson subsidiary, is working in close collaboration with Radcliffe to resolve the issue ever since it was identified in April. As of now, Johnson & Johnson is trying its level best to notify users of the insulin pump through email and urging patients to disable the Radio Frequency connectivity feature of the device. To do this, patients need to follow this sequence in the Settings menu of the device: Settings>Advanced>Meter/10 Screen> RF=OFF.