Some insulin pumps vulnerable to hacks

Some insulin pumps vulnerable to hacks
© Getty Images

A popular brand of insulin pumps appears to have security vulnerabilities that cannot be fixed through simple software updates. 

Johnson & Johnson’s wifi-enabled Animas OneTouch Ping system does not encrypt data or use time codes when users send commands to the device. An attacker could record a command to administer an irregular amount of insulin and replay it, throwing a diabetic off a course of medication.

The vulnerabilities were discovered by Jay Radcliffe, a senior security consultant with the security firm Rapid 7. Ratcliffe first gained some acclaim in 2011 when he demonstrated how to remotely disable his prescribed insulin pump. The OneTouch Ping, like the 2011 hack, is the brand of insulin pump he uses in real life. 

ADVERTISEMENT

“After 2011, I needed a new pump because my old one was out of warranty. I spent the last three and a half years on and off researching vulnerabilities in this one,” the researcher said, quickly clarifying that age — and not his tinkering — ended the old warranty. 

Ratcliffe notified Johnson & Johnson in April about the security problems, and both worked together to find a way to mitigate the problem. 

The OneTouch Ping has been on market for eight years, predating the time when medical devices were designed with security in mind. Radcliffe said the devices were not designed to update security.

So, in a letter to owners, Johnson & Johnson advised that users turn off the wifi on the device, set a software limit for the amount of insulin that can be triggered remotely or enable a feature that makes the pump vibrate whenever it dispenses insulin to notify users something may be amiss.  

Internet-of-things devices, including medical technology, have a bad reputation among security researchers for companies that often turn a blind eye to security problems rather than fix them. But Ratcliffe said his experience with Johnson & Johnson was more or less the exact opposite. 

Manufacturers, especially those with medical devices and automobiles, have gotten better in recent years about working with third party security researchers who notify them of problems. Still, its not entirely common for a researcher to give rave reviews to a disclosure experience.

“I have been very happy, not only as a researcher, but also as a consumer, said Ratcliffe.