The OneTouch Ping Insulin Pump system from medical device manufacturer Animas Corporation contains three vulnerabilities that could allow a remote attacker to trigger an overdose, warned Internet security firm Rapid7, in an announcement later confirmed by Animas.
Rapid7 took steps to allay the public's fears, noting that such a scenario is highly unlikely and could only be carried out against a targeted victim by an attacker located in proximity. “These devices use proprietary communications in their own little ecosphere. It's not like you could create a worm and attack all of them,” said Jay Radcliffe, senior security consultant and researcher at Rapid7, who discovered the vulnerabilities. “This is an exceptionally low-risk situation for patients,” he added, in an interview with SCMagazine.com.
Still, the potentially fatal ramifications are serious enough that Animas has gone public and suggested mitigations for customers with concerns.
The OneTouch Ping system is actually comprised of two devices in one: the insulin pump itself, as well as a blood glucose meter that allows users to control the pump remotely via wireless radio frequency signals, using a proprietary management protocol operating in the 900MHz band. According to an advisory published earlier this week by Rapid7, bad actors with access to radio transmission gear typically used by ham radio hobbyists can potentially intercept and modify these signals from a distance of one to two kilometers, or further depending on factors such as elevation.
Two of the vulnerabilities are the result of a lack of encryption between the remote and pump during their interactions. For starters, all communications between the remote and the pump – including de-identified blood glucose results and insulin dosage data – are broadcast in the clear, leaving them accessible to wireless eavesdroppers, warned Rapid7. Secondly, the pairing process that wirelessly marries the two devices and prevents the pump from receiving transmissions from foreign sources, consists of a five-packet exchange that also does not use encryption.
The exchange, which is exactly the same every time the pairing is initiated, essentially creates a key that enables transmissions between the two devices. According to Rapid7, “Attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump. This can be done without knowledge of how the key is generated. This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction.”
Finally, communication between the two devices has no built-in defenses against replay attacks in which attackers intercept the remote meter's transmissions and then resend them later – perhaps multiple times – in order to administer insulin at dangerous levels. Moreover, Rapid7 reported, “the protocol the remote meter and pump use to communicate does not have elements that guarantee the devices have received the packets in a certain order or at all. It is believed that the weakness in this protocol would allow an attacker to perform a spoofed remote attack from a considerable distance from the user/patient. This would be done by a sufficiently powered remote sending commands to the pump in the blind, without needing to hear the acknowledgement packets.”
Radcliffe is himself a Type 1 diabetic who at one time used the OneTouch Ping product until he began taking insulin shots manually instead (not because of security reasons). Naturally, his past experience with the product triggered his curiosity about its security. “I think that's the most important aspect of me being a diabetic –understanding how the treatment works. If you don't have an understanding of how these devices impact the human body – a person's health – it's really hard to put that in the context of what these technology vulnerabilities would do and how they put a person or patient at risk,” Radcliffe told SCMagazine.com.
Radcliffe and Rapid7 initially notified Animas of the vulnerabilities in April 2016, also contacting the CERT Coordination Center, the FDA and DHS. “I feel very comfortable with Johnson & Johnson's response, and if my children needed insulin, I would not hesitate to use Animas,” said Radcliffe.
“…The probability of unauthorized access to the OneTouch Ping System is extremely low,” reads an online statement published today by West Chester, Pennsylvania-based Animas, a division of Johnson & Johnson. “It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the Internet or to any external network. In addition, the system has multiple safeguards to protect its integrity and prevent unauthorized action.”
To mitigate its product's flaws, Animas suggested that users program the pump to limit the amount of insulin delivered within a given period of time. (Under such a setting, an alarm would go off if the pump exceeded the limit.) Users can also enable a Vibration Alert feature that indicates whenever the pump is initiating a dose – thus preventing a would-be attacker from secretly administering insulin.
Alternatively, the user can simply turn the pump's RF feature off, although that would render the remote useless, forcing the patient to operate the pump manually.
The Rapid7 advisory also noted that Animas itself could mitigate these issues by “using industry standard encryption with a unique key pair.”
In this particular instance, the medical product in question is not Internet-enabled. But as more of these devices become connected online, additional precautions will be necessary, cautioned Eve Maler, VP of innovation and emerging technology at digital identity company ForgeRock, in comments emailed to SCMagazine.com. “We believe that in the very short term, IoT systems will begin implementing identity-centric security and privacy controls from the device out to the cloud,” said Maler. “In order to activate and protect an interconnected system where devices have the ability to communicate to and through each other, these Internet-connected devices must be able to continuously authenticate their user's identity and offer privacy controls for sharing data selectively.”