Skip to main content

Hackers can gain control of an insulin pump to inject a harmful dose into patients

When someone mentions hacking, generally it’s about teens breaking into the government’s network or the latest retail/service breach grabbing the personal data of millions of customers. Cracking into an individual’s pacemaker or insulin pump doesn’t really come to mind, but it’s possible and does happen. Johnson & Johnson is actually warning patients now about a security vulnerability found in one of its insulin pumps.

The good news is that the risk of using the affected Animas OneTouch Ping insulin pump is extremely low, so there’s no need for panic. The bad news is that if exploited, hackers could overdose diabetic patients with insulin. Right now there are only around 114,000 patients who actually use this specific medical device.

The vulnerability was discovered by researcher Jay Radcliffe of the cybersecurity firm Rapid7 Inc., who also happens to be diabetic. Radcliffe revealed his findings to Johnson & Johnson in April and published the news on the Rapid7 blog on September 28. Johnson & Johnson is just now getting around to informing patients through standard mail.

According to the product page, the Animas OneTouch Ping provides a Meter Remote so that patients can give themselves an insulin dose without having to touch the pump itself. In addition to checking blood sugar levels, the remote also allows users to remotely control pump functions, calculate how much bolus insulin is needed, and more.

The problem is that the wireless connection between the remote and the pump is not secure. They communicate in the 900MHz band using a proprietary Wi-Fi protocol based on “cleartext” communications. Without encryption, a hacker could potentially fake a Meter Remote connection and give a patient a harmful dose of insulin.

“Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” Radcliffe reports.

By gaining access to the connection between the pump and the remote, hackers can see the blood glucose results and the insulin dosage data. They gain access by sniffing the 5-packet “key” passed between the pump and remote, which remains the same each time the two devices are paired. This is supposedly to prevent other household remote controls from activating the pump.

“Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks,” Radcliffe added. “Because of this, attackers can capture remote transmissions and replay them later to perform an insulin bolus without special knowledge, which can potentially cause them to have hypoglycemic reaction.”

So what took so long for Johnson & Johnson to report the problem? The company had to reproduce Radcliffe’s finding before it warned patients of a potential problem. Brian Levy, chief medical officer with Johnson & Johnson’s diabetes unit, told Reuters they discovered a hacker could actually inject patients with a harmful dose of insulin from up to 25 feet away.

In a letter to patients, Johnson & Johnson said that OneTouch Ping owners who are worried about a potential hack can stop using the remote, or program the pump to limit the maximum dose of insulin. Users can also turn on the Vibrating Alert feature to warn of an insulin dose that is about to be initiated via the remote control. Animas provides a letter to patients here.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
This Alienware gaming PC with an RTX 3080, 32GB of RAM is $1,100 off
alienware aurora r13 gaming pc deal dell march 2023 lifestyle

It's rare to see discounts of more than $1,000 when you're browsing through gaming PC deals, so don't miss this opportunity to buy the Alienware Aurora R13 gaming desktop with a $1,100 discount from Dell. You'll only have to pay $1,800 for this powerful machine instead of $2,900, though you'll have to proceed with your purchase as soon as possible because we don't know when the offer ends. If it fits your budget, you won't regret buying this gaming PC.

Why you should buy the Alienware Aurora R13 gaming PC
Dell's gaming-focused Alienware brand is no stranger to our roundup of the best gaming PCs, which places high expectations on the Alienware Aurora R13. The gaming desktop beats them though, as it can play the best PC games at their highest settings without any issues. That's possible through its 12th-generation Intel Core i9 processor and Nvidia GeForce RTX 3080 graphics card, which are paired with 32GB of RAM that will let you run multiple applications like streaming software and web browsers alongside your video games, according to our guide on how much RAM do you need.

Read more
Apple’s new Mac Pro might be dead on arrival
A blown up view of Apple's 2023 Mac Pro.

After four long years of waiting, Apple has finally transitioned its Mac Pro away from Intel processors. Now, the M2 Ultra is powering the workstation, and even without concrete benchmarks, there's little doubt that the Mac Pro will clobber the previous generation. But it unfortunately also lacks everything that made the previous generation so impressive.

Apple has backpedaled on what made the previous Mac Pro such a monumental step forward for the company, and it's hamstrung the Mac Pro by forcing it onto its own silicon. There's no doubt the M2 Ultra will be impressive when it launches, but the flexibility afforded by the previous generation isn't present this time around.
It will be powerful

Read more
How to use the Sudowrite Story Engine to write full-length novels with AI
Using the Sudowrite story engine to generate a synopsis.

The Sudowrite Story Engine is a tool that's designed to help you finish, finalize, or actually generate an entire novel from scratch. It uses the power of OpenAI's natural language model aAI (the same one that power versions of ChatGPT) to generate text for a real novel. It's not perfect, and you will absolutely need to edit it — a lot. But it's a fantastic tool for creating the bones of a story, or building something more on top of that.

Here's how to use Sudowrite's Story Engine to write your own novel.

Read more