Report: Johnson & Johnson insulin pumps can be hacked to cause overdoses
Medical device maker Johnson & Johnson has notified patients of a cybersecurity vulnerability in one of the company’s popular insulin pumps. Researchers have found that the device can be exploited to cause insulin overdoses in diabetic patients, though the company contends that the actual risk of such attacks remains low.
About 114,000 patients rely on J&J’s Animas OneTouch Ping insulin pump system in the U.S. and Canada. Over the last several days, the New Jersey-based company has been sending letters to inform diabetic patients of the risk posed to their devices from hackers, Reuters first reported.
J&J is currently working with security researchers from Boston, Mass.-based Rapid7, a publicly traded internet cybersecurity firm, to address vulnerabilities in the product.
The actual vulnerability stems from a wireless communications protocol — transmitted via radio frequency waves — shared between the device’s wireless remote and the insulin pump. Because the signal bouncing between the remote and device is not encrypted, but rather leverages cleartext communications, researchers found that it could be intercepted and repurposed to enable different commands.
“Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump,” a Rapid7 blog post reads.
J&J, Animas Corporation, the Food and Drug Administration and the Department of Homeland Security were all notified of this specific cybersecurity vulnerability shortly after its original discovery, according to Rapid7.
Medical device hacking, in addition to responsible vulnerability and exploit disclosure, has become a hot button issue in recent weeks following the secret discovery of alleged software flaws evident in pacemakers and defibrillators developed by St. Jude Medical. In that case, a private security firm named MedSec tested St. Jude’s products and then proceeded to provide said information to a stock short-seller, who publicized the data and became rich in the process.
J&J Chief Information Security Officer Marene Allison told Reuters that an internal team is reviewing the security measures present in other J&J products to screen for similar software bugs.
Today, the FDA is in the planning stages of issuing a formal guidance to medical device makers on how they should handle vulnerability disclosure, reports and other related security events. An early draft version of the guidance, released for public comment in January, calls for general collaboration between device makers and security researchers so as to mitigate risks.