Vulnerabilities could trigger unauthorised insulin injections.
Vulnerabilities could trigger unauthorised insulin injections.

According to a report by Rapid7, the OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol. Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorised insulin injections.

“Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have a hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” the researcher said in a blog post.

One vulnerability demonstrated that the communications between the remote and the pump are transmitted in the clear. During the normal course of operation, de-identified blood glucose results and insulin dosage data is being leaked out for eavesdroppers to remotely receive.

A second flaw highlighted weak pairing between remote and pump.

“Attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump. This can be done without knowledge of how the key is generated. This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction,” said the researcher.

A third flaw could allow attackers to capture remote transmissions and replay them later to perform an insulin bolus without special knowledge, which can potentially cause them to have hypoglycemic reaction.

The researcher said that the first findings have been reported to the vendor, Animas Corporation, CERT/CC, the FDA and DHS. He said that Animas has been highly responsive and is proactively notifying users of the devices, and recommending mitigations for the risks.

Mark James, security specialist at ESET, told SCMagazineUK.com that quite often the problem with security in the medical or health industry is financially driven; cost is a major factor both in running and supplying the equipment used.

“In these instances the biggest factor is often making the equipment attainable for the masses who need it. The security of these products has to be factored into the cost and may even in some cases not be a factor at all. As we work towards an IoT environment where everything has to be connected, securing those devices in some cases is a secondary concern,” he said.

“When older equipment was originally designed, the idea of “hacking” those devices was probably not even a factor. As connected devices develop it's much harder to introduce techniques to make them secure and usually requires a redesign which again has a serious cost impact.”

Richard Meeus, VP of Technology, EMEA at NSFOCUS IB, told SC that ever since the TV series “Homeland” depicted terrorists hacking into the vice president's pacemaker, there has been a fear of actually how easy the manipulation is and how it can be possible with instruments that control whether we live or die.

“As has been shown in the research, the communication between the pump and the remote, whilst not over the internet and therefore not in the same vein as recent IoT hacks, was still unencrypted and this would allow hackers within the vicinity of the user to manipulate the dosage. Encrypting the communication between medical sensors and tools should be a first step in any new product,” he said.