Skip to main content
  1. Home
  2. Computing
  3. Health & Fitness
  4. News

Hackers can gain control of an insulin pump to inject a harmful dose into patients

Add as a preferred source on Google

When someone mentions hacking, generally it’s about teens breaking into the government’s network or the latest retail/service breach grabbing the personal data of millions of customers. Cracking into an individual’s pacemaker or insulin pump doesn’t really come to mind, but it’s possible and does happen. Johnson & Johnson is actually warning patients now about a security vulnerability found in one of its insulin pumps.

The good news is that the risk of using the affected Animas OneTouch Ping insulin pump is extremely low, so there’s no need for panic. The bad news is that if exploited, hackers could overdose diabetic patients with insulin. Right now there are only around 114,000 patients who actually use this specific medical device.

Recommended Videos

The vulnerability was discovered by researcher Jay Radcliffe of the cybersecurity firm Rapid7 Inc., who also happens to be diabetic. Radcliffe revealed his findings to Johnson & Johnson in April and published the news on the Rapid7 blog on September 28. Johnson & Johnson is just now getting around to informing patients through standard mail.

According to the product page, the Animas OneTouch Ping provides a Meter Remote so that patients can give themselves an insulin dose without having to touch the pump itself. In addition to checking blood sugar levels, the remote also allows users to remotely control pump functions, calculate how much bolus insulin is needed, and more.

The problem is that the wireless connection between the remote and the pump is not secure. They communicate in the 900MHz band using a proprietary Wi-Fi protocol based on “cleartext” communications. Without encryption, a hacker could potentially fake a Meter Remote connection and give a patient a harmful dose of insulin.

“Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” Radcliffe reports.

By gaining access to the connection between the pump and the remote, hackers can see the blood glucose results and the insulin dosage data. They gain access by sniffing the 5-packet “key” passed between the pump and remote, which remains the same each time the two devices are paired. This is supposedly to prevent other household remote controls from activating the pump.

“Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks,” Radcliffe added. “Because of this, attackers can capture remote transmissions and replay them later to perform an insulin bolus without special knowledge, which can potentially cause them to have hypoglycemic reaction.”

So what took so long for Johnson & Johnson to report the problem? The company had to reproduce Radcliffe’s finding before it warned patients of a potential problem. Brian Levy, chief medical officer with Johnson & Johnson’s diabetes unit, told Reuters they discovered a hacker could actually inject patients with a harmful dose of insulin from up to 25 feet away.

In a letter to patients, Johnson & Johnson said that OneTouch Ping owners who are worried about a potential hack can stop using the remote, or program the pump to limit the maximum dose of insulin. Users can also turn on the Vibrating Alert feature to warn of an insulin dose that is about to be initiated via the remote control. Animas provides a letter to patients here.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Google’s new Magic Pointer Play Store listing reveals a Gemini shortcut built for Googlebooks
The unannounced app turns the cursor into a contextual AI tool for search, image creation, and shopping
Plant, Text, Business Card

Google has quietly published a new Play Store listing for Magic Pointer, an unannounced app built for Googlebooks. Updated on July 10, the app turns the cursor into a Gemini shortcut that can act on whatever a user selects on screen.

Magic Pointer can send an image to Lens, generate a related image, or surface a shopping action without forcing users to open a separate chatbot. Regular Android devices currently show as incompatible, so the listing offers an early preview rather than a broad release.

Read more
You can stop using AI, but this new report says you probably can’t escape it
A UK survey found that most people feel AI exposure is unavoidable, raising harder questions about consent, privacy, and whether opting out is still realistic
AI Chatbots

More people are trying to use less AI, but avoiding it altogether may already be impossible.

A survey of 2,055 UK adults found that 42% deliberately limit how much AI they use. Another 70% said avoiding AI exposure would be difficult or impossible, even when they actively wanted less of it.

Read more
The face on an AI interviewer may matter as much as the decision it makes
Researchers found that race and gender matching changed how fairly rejected applicants viewed an automated interview, even though everyone received the same outcome
File, Computer Hardware, Electronics

An AI hiring system can treat every applicant the same and still leave some people feeling targeted. Researchers found that rejected candidates judged an automated interview differently depending on the race and gender of the avatar delivering the result.

Around 220 participants completed a simulated interview for a fictional customer support role with one of four photorealistic AI avatars. Everyone was rejected, yet perceptions of fairness shifted with the interviewer’s appearance. An algorithm audit could miss that reaction because candidates don’t experience the system as raw code. They experience a face asking questions and judging their answers.

Read more