New insulin pump flaws highlights security risks from medical devices
Medical device manufacturer Animas, a subsidiary of Johnson & Johnson, is warning diabetic patients who use its OneTouch Ping insulin pumps about security issues that could allow hackers to deliver unauthorized doses of insulin.
The vulnerabilities were discovered by Jay Radcliffe, a security researcher at Rapid7 who is a Type I diabetic and user of the pump. The flaws primarily stem from a lack of encryption in the communication between the device’s two parts: the insulin pump itself and the meter-remote that monitors blood sugar levels and remotely tells the pump how much insulin to administer.
The pump and the meter use a proprietary wireless management protocol through radio frequency communications that are not encrypted. This exposes the system to several attacks.