A diabetic security researcher identified security flaws in the Johnson & Johnson Animas Onetouch Ping insulin pumps that can be exploited by criminals.
Now Even the Insulin Pumps Are Hackable
Three security issues have been identified in an important medical device, the Insulin pump. The security researcher Jay Radcliffe, who is also a diabetic, has uncovered the flaws in a Johnson & Johnson Animas OneTouch Ping model that uses a wireless glucose management system. The issues have been reported to the vendor and the relevant agencies – FDA, CERT/CC and the DHS.
The product uses a wireless remote that is used to display information about the blood sugar levels and to control the pump. The security problems are related to the insufficient security standards that are implemented in the device. The two parts, which form the system, communicate over the 900 Mhz band using a proprietary management protocol.
The communications are done via cleartext messages rather than encrypted ones which is a very serious issue. The researcher was able to follow the signals and constructed an attack that spoofs the Meter Remote to trigger an unauthorized insulin injection. The criminals have to be within a sufficient range (depending on the radio transmission device used) to remotely harm the users.
The three distinct weaknesses are the following:
- Cleartext Transmission of All Traffic (CVE-2016-5084) – All communication is done in cleartext which allows anyone to capture the data wirelessly. This exposes private health status information such as the blood glucose testing results and insulin dosage delivered to the user.
- Weak Remote and Pump Pairing Mechanism (CVE-2016-5085) – The pairing process is initiated during the setup of the pump and the pump using a 5-packet exchange in cleartext where the two devices exchange their serial numbers and limited header information. A CRC32 key is generated that is used in all transmissions. These 5 packets are the same during every pairing process between the remote and the pump. This allows for a very easy spoofing attack that the malicious users can use to operate the pump.
- Lack of transmission assurance and replay attack prevention (CVE-2016-5086) – The communication is done without the usual sequence numbers, timestamps or other forms of security measures against replay attack. This allows hackers to capture the remote sessions and replay them later to perform insulin-inducing actions.
Malicious users can exploit the weaknesses to issue extra doses of insulin and to induce hypoglycemic reactions to the victim users. The signal communication is carried over radio waves which can easily be intercepted by ham radio equipment over a distance of one or two kilometers. The attacks can be avoided by disabling the radio functionality of the device. This is done by accessing the Setup –> Advanced –> Meter/10 screen and toggling the “RF” option to “OFF”.
All customers should receive notification of the problems with details on how to mitigate them directly from the vendor via snail mail. For more detailed information you can view the complete disclosure report.