October 4, 2016
People with diabetes that use OneTouch Ping insulin pumps made by Animas, a Johnson & Johnson subsidiary, might want to check their mail in the upcoming days for instructions on how to secure their device against remote hacking.
The device sports three security flaws that allow an attacker to interpose himself between the insulin pump device and its remote controller, sending rogue commands.
If the attacker knows what he’s doing, he could trigger an insulin overdose that might lead to hypoglycemic reactions, which sometimes can be fatal for certain diabetes patients.
Researcher says there’s no cause for alarm
Rapid7 security researcher Jay Radcliffe, the person who discovered the security flaws, and a diabetic himself, says there’s no cause for concern, just yet.
“If you are not technical and read the security advisory, you are probably more than worried. I would be too,” Radcliffe said. “This research uncovers a previously unknown risk. […] These are sophisticated attacks that require being physically close to a pump.”
“Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk. […] If you are concerned, work with your endocrinologist and device vendor to make sure you are making the best choices. Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.”