Medical device manufacturer Animas on Tuesday warned that its OneTouch Ping insulin pump system was susceptible to hacking.
“We have been notified of a cybersecurity issue with the OneTouch Ping, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system,” reads the company’s letter to users of the device.
The probability of anyone accessing the pump without authorization was “extremely low,” the letter notes. Animas is owned by Johnson & Johnson.
“It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the Internet or to any external network,” the letter notes. “In addition, the system has multiple safeguards to protect its integrity and prevent unauthorized action.”
Internet of Insecure Things
However, Animas may be deluding itself about the difficulty of exploiting the cybersecurity issue in its pumps.
“The idea that this requires expensive sophisticated technology is just not the case,” said Chris Day, CISO of Invincea.
“There are very inexpensive software-defined radios that can be had for (US)$300 to hack RF,” he said.
“It requires some skill in reverse-engineering network protocols and wireless,” he continued, “but those skills are broadly extant in the security community today, particularly with the community that focuses on RF IoT.”
A high degree of sophistication would not be needed to gain control of Animas’ pump, Lee Ratliff, principal analyst for low power wireless at IHS Markit, also observed.
“I’m an electrical engineer, and reverse-engineering an unencrypted protocol is not rocket science,” he said, “especially if the attacker has access to a pump and a remote for testing.”
Because the Animas pumps aren’t connected to the Internet, they may have less value to hackers than medical devices that have such connections, however.
“There is a real risk to connected medical devices right now — the risk of service disruption due to those devices becoming infected by botnet malware and leveraged to support large denial-of-service attacks,” maintained Anthony DiBello, senior director for product management and marketing at Guidance Software.
The source code for Mirai — the software used to corral millions of IoT devices into a botnet that recently launched one of the largest DDoS attacks in Internet history — recently turned up online for anyone to download.
“With the Mirai source code out in the wild, it is not a stretch to imagine malicious developers augmenting it to take advantage of additional device types, such as those used in the medical fields, to increase the scope of botnet-driven activities even further,” DiBello explained.
Securing the Insulin Pump
Users of OneTouch Ping insulin pumps can take a number of steps to secure their device against unauthorized access, according to Animas.
For example, the pump’s wireless feature can be turned off. If that’s done, however, glucose readings will have to be entered manually on the pump.
Further, insulin amounts can be customized. Any attempt to alter those amounts without a patient’s knowledge would set off an alarm.
Animus recommends activating the vibrating alert feature on the device so that when an insulin dose is about to be delivered, the patient has an option of canceling the delivery.
“I’m impressed with the thoroughness of the alert, as well as the alternatives patients have,” said Scott Montgomery, chief technical strategist for Intel Security.
“It’s also a great idea that they don’t do any of the updates and changes via the Internet,” he said. “It makes the vectors to the device harder to get to.”
Pumps Targeted Before
This isn’t the first time that a vulnerability has been found in an insulin pump. Five years ago, a proof-of-concept attack was demonstrated at the Hacker Halted conference in Miami on an insulin pump made by Medtronic.
Using home brewed software and hardware, McAfee reseracher Barnaby Jack demonstrated how he could seize control of the pump from up to 300 feet and issue commands to it, including dumping its reservoir all at once.
Insulin pumps aren’t the only devices shown to be vulnerable to attack, either. Academic researchers in 2008 demonstrated how implantable cardiac devices and pacemakers could be compromised — either turned off, or used to issue life-threatening electric shocks to a patient.
2,546 total views, 2 views today