OneTouch insulin pump by the company “Animas” contains vulnerabilities that a malicious attacker can exploit to trigger an insulin injection remotely.
Jay Radcliffe a security researcher, and a Type I diabetic patient discovered these flaws and wrote his findings.
Radcliffe discovered the security weaknesses in the wireless communication of the medical device. Specifically, because of lack of encryption, as the instructions send cleartext. The weak pairing of the pump and remote communication opens opportunities for attackers to force control and trigger insulin injections.
It arises the potential for an attacker to cause harm to the victims and potentially generates a hypoglycemic reaction if the user does not stop the insulin delivery on the pump.
However, the widespread exploitation of this flaw is relatively low, and people shouldn’t panic. Johnson & Johnson, the parent company of Animas, issued a precautionary advice to the users of the pump.
“We have been notified of a cybersecurity issue with the OneTouch Ping®, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system. We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”
Animas advise to its users
By turning off the pump’s radio frequency, you can mitigate the risk. But, this also mean that the meter and pump wouldn’t be able to communicate with each other, and manual entry of blood glucose levels will be required. However, that is not a satisfactory solution, and people paid for this feature.
Animas proposes that its users should enable the vibrating alert feature which will notify them if a dose is triggered remotely, and allow them to cancel the dose. Also, it is also possible to limit the amount of bolus insulin that can be injected (either at maximum or within the time period).
However, these mitigations aren’t the solutions to the underlying problem, a failure of the device to use proper authentications and encrypted communication. Security of such devices is important, as the public need to feel secure while using the very things that keep them alive.
Despite his research, Radcliffe says that people with diabetes shouldn’t see security concern as a reason not to use the vulnerable equipment:
“Always take care of your diabetes first. We all know the dangers of high blood sugar and low blood sugar too. These risks often far outweigh the risks highlighted in this research.”
“If any of my children became diabetic and the medical staff recommended putting them on a pump, I would not hesitate to put them on a OneTouch Ping. It is not perfect, but nothing is. In this process, I have worked with Animas and its parent company, Johnson & Johnson, and know that they are focused on taking care of the patient and doing what is right.”
Share this article
About the Author
Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.
More from Peter ButtlerRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...