Johnson & Johnson says people with diabetes don't need to worry about potentially lethal wireless attacks on insulin pumps

Rapid7 security researcher Jay Radcliffe (previously) has Type I diabetes, and has taken a personal interest in rooting out vulnerabilities in the networked, wireless-equipped blood-sugar monitors and insulin-pumps marketed to people with diabetes, repeatedly discovering potentially lethal defects in these devices.

Recently, Radcliffe revealed that Johnson & Johnson's 2008 Animas Onetouch Ping insulin pump did not encrypt communications between it and its remote control, allowing attackers to cause it to dump all of its insulin in one deadly bolus.

Johnson & Johnson sent a letter to its customers downplaying the risk, saying that "The probability of unauthorized access to the OneTouch Ping system is extremely low" and "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."

Other proof-of-concept attacks on medical implants envisioned spreading from device to device, for example, as users came together in specialized hospital clinics.

Radcliffe previously advised the US Copyright Office that Section 1201 of the Digital Millennium Copyright Act had prevented him from coming forward with similar revelations.

Medical devices are notoriously insecure, though some devices stand out as being especially alarming.

The OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol. Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.

Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump.

These issues have been reported to the vendor, Animas Corporation, CERT/CC, the FDA and DHS. Animas has been highly responsive and is proactively notifying users of the devices, and recommending mitigations for the risks.

R7-2016-07: Multiple Vulnerabilities in Animas OneTouch Ping Insulin Pump
[Todb/Rapid7]

Exclusive: J&J warns diabetic patients – Insulin pump vulnerable to hacking
[Jim Finkle/Reuters]

(via Consumerist)