Johnson & Johnson has revealed that its J&J Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients – however, it declares that the risk of this happening is very low.
Speaking to Reuters, unnamed executives from the American multinational medical manufacturer said that they were taking the unprecedented step of warning customers about the vulnerability, particularly in light of recent controversies regarding attack vectors in cardiac equipment.
In a letter to doctors and 114,000 patients, sent on Monday, the company wrote:
“The probability of unauthorized access to the OneTouch Ping system is extremely low… It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”
The letter also advised patients who might be concerned by the news that it is possible to mitigate the threat by ceasing to use the remote device and setting the pump to limit the maximum possible insulin dose (presumably not a default setting).
Diabetic security researcher Jay Radcliffe had identified a method by which a hacker could imitate legitimate communications between the pump and the patient’s remote control for it, and noted that no physical access to the device was needed.
The company’s own technicians were able to replicate the hack and confirmed that it was possible to manipulate the pump within a distance of 25 feet. Brian Levy, Johnson & Johnson’s chief medical officer observed that the hack would be extremely difficult to pull off, and said “We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product.”
Johnson & Johnson has said that it will work with the researcher on addressing the problem.
In 2011 Radcliffe presaged this possibility by reverse-engineering his own insulin pump and formulating an effective overdose attack. He presented the work, entitled ‘Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System’ at the 2011 Black Hat security conference.
The same year, McAfee researcher Barnaby Jack demonstrated an effective attack on local insulin pumps at the Hacker Halted conference in Miami. He commented at the time “With this device I created and the software I created, I could actually instruct the pump to perform all manner of commands… I could make it dispense its entire reservoir of insulin, which is about 300 units. I just scan for any devices in the vicinity and they will respond with the serial number of the device.” Barnaby passed away in San Francisco days before he was scheduled to demonstrate an effective analogous hack on a pacemaker.
In August of 2015, the U.S. Food and Drug administration (FDA) issued a warning to hospitals to discontinue use of the Symbic Infusion Medication System due to cyber-vulnerabilities.
In 2014 the U.S. Department of Homeland Security investigated 24 cases of suspected cybersecurity exploits in hospital equipment and assorted medical devices. A senior DHS official a the time made reference to the most popular fictitious representation of a medical cyber-attack, which occurred in the show Homeland.