PDA

View Full Version : Safer Computing: 19/10/2016 Re:Diabetes


Wally
19th October 2016, 10:47 AM
B U L L E T I N (ID: HKRI-AEVCRC)

The Animas OneTouch Ping insulin pump contains vulnerabilities that could be exploited by a malicious attacker to remotely trigger an insulin. injection. Security researcher Jay Radcliffe – who is himself a Type I diabetic – discovered the flaws and wrote about his findings.

What Radcliffe discovered was that there were security weaknesses in how the medical device communicated wirelessly. Specifically, a lack of encryption meant that instructions were being sent in clear text. Combined with weak pairing between the remote and pump, this could open opportunities for remote attackers to spoof the controller and trigger unauthorized insulin injections.

Although the risk of widespread exploitation of the flaws is considered relatively low, and no-one should panic, Animas’s parent company Johnson & Johnson has issued an advisory to users of the insulin infusion pump: “We have been notified of a cybersecurity issue with the OneTouch PingŪ, specifically that a person could potentially gain unauthorized access to the pump through its unencrypted radio frequency communication system.

We want you to know that Animas has investigated this issue and has worked with the appropriate regulatory authorities and security experts, as we are always evaluating ways to further ensure patient safety and security.”

The advice to users:

Well, you can of course mitigate the threat by turning off the pump’s radio frequency feature. However, this means that your pump and meter can no longer communicate with each other, and blood glucose levels will need to be entered manually on the pump. That’s clearly not an entirely satisfactory solution.

Animas also proposes that OneTouch Ping users enable the vibrating alert feature which will tell them if a dose is being administered remotely, and give them the option of cancelling. Also, it’s possible to program the OneTouch Ping pump to limit the amount of bolus insulin that can be delivered (either as a maximum or within certain time windows).

W E B L I N K S

By Graham Cluley: --> http://www.welivesecurity.com/2016/10/06/insulin-pumps-hacked-warns-johnson-johnson/

shenstone
19th October 2016, 12:13 PM
re

The advice to users:

Sorry Wally, but I think this is not responsible advice and should be replaced with a direction to take advice from your medical professional and Animas. I do not think 3rd party advice on medication changes and changes to medical systems is appropriate