Diabetics warned that insulin pump has security vulnerability

Johnson & Johnson has told people using one of its insulin pumps that there is a vulnerability in the device’s security that could allow hackers to gain access to the pump and make the device deliver an overdose of insulin. An overdose of insulin could be fatal. Despite the vulnerability and risk of death if the vulnerability were exploited, Johnson & Johnson says that the risk to users of the pump is low.

Experts say that this is the first time a manufacturer has issued this sort of warning to patients about a security vulnerability in a medical device. The company has told Reuters that it knows of no hacking attempts against the pump at this time, but it has decided to warn uses and give advice on fixing the issue.

“The probability of unauthorized access to the OneTouch Ping system is extremely low,” the company wrote in a letter sent to doctors and patients. “It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network,” the letter continued.

The pump in question is the Animas OneTouch Ping that launched in 2008 and is sold with a wireless remote control that the patients can use to control the pump. The reason for the remote is to allow easy access to the pump, which is typically worn under clothing and can be awkward to reach when needed. Security researcher Jay Radcliffe from Rapid7 Inc says that he found a way to allow hackers to spoof that remote control potentially forcing it to deliver injections that the patient didn’t authorize.

According to Radcliffe, the communications between the remote and the pump aren’t encrypted to prevent unauthorized access to the device. The workaround for the issue is for users to stop using the wireless remote and program the pump to limit maximum insulin doses.

SOURCE: Reuters