Hackers can gain control of an insulin pump to inject a harmful dose into patients

johnson animas onetouch ping insulin pump vulnerable hacker attack animus head
When someone mentions hacking, generally it’s about teens breaking into the government’s network or the latest retail/service breach grabbing the personal data of millions of customers. Cracking into an individual’s pacemaker or insulin pump doesn’t really come to mind, but it’s possible and does happen. Johnson & Johnson is actually warning patients now about a security vulnerability found in one of its insulin pumps.

The good news is that the risk of using the affected Animas OneTouch Ping insulin pump is extremely low, so there’s no need for panic. The bad news is that if exploited, hackers could overdose diabetic patients with insulin. Right now there are only around 114,000 patients who actually use this specific medical device.

The vulnerability was discovered by researcher Jay Radcliffe of the cybersecurity firm Rapid7 Inc., who also happens to be diabetic. Radcliffe revealed his findings to Johnson & Johnson in April and published the news on the Rapid7 blog on September 28. Johnson & Johnson is just now getting around to informing patients through standard mail.

According to the product page, the Animas OneTouch Ping provides a Meter Remote so that patients can give themselves an insulin dose without having to touch the pump itself. In addition to checking blood sugar levels, the remote also allows users to remotely control pump functions, calculate how much bolus insulin is needed, and more.

The problem is that the wireless connection between the remote and the pump is not secure. They communicate in the 900MHz band using a proprietary Wi-Fi protocol based on “cleartext” communications. Without encryption, a hacker could potentially fake a Meter Remote connection and give a patient a harmful dose of insulin.

“Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” Radcliffe reports.

By gaining access to the connection between the pump and the remote, hackers can see the blood glucose results and the insulin dosage data. They gain access by sniffing the 5-packet “key” passed between the pump and remote, which remains the same each time the two devices are paired. This is supposedly to prevent other household remote controls from activating the pump.

“Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks,” Radcliffe added. “Because of this, attackers can capture remote transmissions and replay them later to perform an insulin bolus without special knowledge, which can potentially cause them to have hypoglycemic reaction.”

So what took so long for Johnson & Johnson to report the problem? The company had to reproduce Radcliffe’s finding before it warned patients of a potential problem. Brian Levy, chief medical officer with Johnson & Johnson’s diabetes unit, told Reuters they discovered a hacker could actually inject patients with a harmful dose of insulin from up to 25 feet away.

In a letter to patients, Johnson & Johnson said that OneTouch Ping owners who are worried about a potential hack can stop using the remote, or program the pump to limit the maximum dose of insulin. Users can also turn on the Vibrating Alert feature to warn of an insulin dose that is about to be initiated via the remote control. Animas provides a letter to patients here.

Music

From Jay Rock to Saba, these are the 50 best albums of 2018

We've spent the year listening to new albums, digging deep, and culling our master list into 50 favorites. From blockbuster releases to hidden gems, these are the best albums of 2018.
Movies & TV

Stay inside this winter with the best shows on Hulu, including 'Killing Eve'

It's often overwhelming to navigate Hulu's robust library of TV shows. To help, we put together a list of the best shows on Hulu, whether you're into frenetic cartoons, intelligent dramas, or anything in between.
Deals

Amazon Fire Deals: Tablets, TVs, and TV controllers in stock and ready to ship

Last-minute shoppers, and anyone seeking good deals on Amazon Fire products, are in luck. There's still time to order Fire Tablets, Fire TVs, and Fire media players, Fire CVRs, and Alexa-voice-compatible Fire remotes for Christmas delivery.
Outdoors

Drink what nature provides with the best water purifiers

Looking for reliable water purification? Staying hydrated is important, especially when you are hiking or camping far from civilization. Check out our picks of the best water purifiers for your camp, backpack, or pocket.
Gaming

With our Steam guide, you can give the gift of gaming this holiday season

The holidays may have passed, but it's always a good time to give the gift of gaming (especially when there's a Steam sale)! Here's our quick guide on how to give a Steam game as a gift.
Photography

Forget painting-style transfers, this A.I. creates realistic portraits of fake people

Do these images look computer-generated? Nvidia researchers recently published a paper on a new variation on style transfer artificial intelligence that's able to generate entirely new portraits.
Computing

Leaked HP laptop listing reveals entry-level Nvidia MX250 GPU

Alongside powerful graphics cards, Nvidia may have more mobile GPUs to show off at next year's CES show in January. The MX250 has been spotted in a listing for an HP laptop, potentially replacing the entry-level MX150.
Computing

ZSpace’s laptop brings education to life with its own 3D technology

The ZSpace laptop wants to overhaul education and training by offering affordable access to 3D mixed reality through a bespoke screen and glasses technology that is already supported by a wide array of applications.
Computing

Former Microsoft intern claims Google may have sabotaged Edge browser

Google's Chrome web browser has been able to establish such dominance that Microsoft is abandoning its web rendering engine, switching Edge over to Chromium, but did Google play dirty in an attempt to force Microsoft to make the decision?
Computing

ViewSonic’s 1080p gaming monitor lets you experience the action in style

ViewSonic is catering to gamers with its latest monitor, the XG240R. Featuring a 1080p 144Hz panel, RGB lighting, and a fast 1ms response time, you can conquer your opponents and do it in style.
Computing

Here’s why you might still be using Wi-Fi after cellular 5G launches

Cellular 5G might be around the corner and promising to deliver lightning fast speeds, but the folks over at the Wi-Fi Alliance have a few reasons why they think you shouldn't dump Wi-Fi just yet.
Computing

Pinning websites to your taskbar is as easy as following these quick steps

Would you like to know how to pin a website to the taskbar in Windows 10 in order to use browser links like apps? Whichever browser you're using, it's easier than you might think. Here's how to get it done.
Computing

Detangle your desk with a mighty wireless mouse. Here are our six favorites

If you're looking for the best wireless mouse on the market, we've got the list for you!. These six models have something for everyone, whether you're a hardcore gamer or simply looking to ward off carpal tunnel.
Web

Canceling Amazon Prime is easy, and you might get a refund

Don't be intimidated. Learning how to cancel Amazon Prime is easier than you might think. You might even get a partial or full refund on the cost, depending on how much you've used it. Check out our quick-hit guide for doing so.