The OneTouch Ping insulin pumps manufactured by Animas, a company owned by Johnson & Johnson, are affected by multiple several vulnerabilities that can be exploited by remote hackers to harm the diabetic patients who use them. While the security holes are serious, the risk is considered relatively low and the
The bad news it that the vendor does not plan on releasing a fix for the flaws despite they are serious because they flaws are difficult to exploit.
The researcher Jay Radcliffe from Rapid7 analyzed OneTouch Ping insulin pumps manufactured by Animas. The medical devices are composed of two main components, the actual insulin pump and a component of the remote control.
“The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device. The attacker cannot obtain personally identifiable information.” reads the advisory published by the US-CERT.
It is important to highlight that the OneTouch Ping insulin pumps are not connected to the Internet, this means that the exploitation of the flaws discovered by the experts could not be exploited from remote distances.
The experts explained that using a special radio transmission equipment could allow attacks to be conducted from a distance even up to one mile.
One of the most disconcerting discoveries made by the researcher is that the remote control and the pump communicate over an unencrypted channel. An attacker can exploit this flaw tracked as CVE-2016-5084 to launch a man-in-the-middle (MitM) attack to intercept patient treatment and device data. The only consolation is that data exposed do not include any personally identifiable information.
“Packet captures demonstrate that the communications between the remote and the pump are transmitted in the clear. During the normal course of operation, de-identified blood glucose results and insulin dosage data is being leaked out for eavesdroppers to remotely receive.” states the blog post published by Rapid7.
A second flaw, tracked as CVE-2016-5085, is related to the pump pairing with the remote control, an operation necessary to authenticate the controller with medical devices in order to prevent it from accidentally accepting commands from other remote controllers. In this case, the OneTouch Ping insulin pumps use a key to exchange information with the controllers that are composed of serial numbers and some header information, unfortunately, it is transmitted in clear text. An attacker can exploit the flaw to spoof the remote control and issue commands to arbitrarily dispense insulin, which dramatic consequences.
The researcher also reported also other two serious issues affecting the OneTouch Ping insulin pumps, CVE-2016-5086 and CVE-2016-5686, that could be exploited to spoof the devices by capturing packets and used them at a later time.
Radcliffe confirmed the relatively low risk of exposure to the vulnerabilities, anyway such kind of study raises awareness of the threats and potential damages caused by a cyber attack.
“Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash,” the expert noted.
Summarizing the three major flaws reported by Radcliffe during his analysis are:
Johnson & Johnson notified patients and healthcare professionals of Rapid7’s findings via mail, it also explained how to mitigate the threat by features available in the OneTouch Ping insulin pumps.
Give a look at the report, it also includes a video PoC of the attack
(Security Affairs – OneTouch Ping insulin pumps, hacking)