Slashdot Mirror

← Back to Stories (view on slashdot.org)

Johnson & Johnson Discloses That Its Insulin Pump Is Hackable (thestack.com)

Posted by BeauHD on from the medical-emergency dept.

An anonymous reader quotes a report from The Stack: Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low. Unnamed executives from the American multinational medical manufacturer said that they were taking the unprecedented step of warning customers about the vulnerability, particularly in light of recent controversies regarding attack vectors in cardiac equipment. In a letter to doctors and 114,000 patients, sent on Monday, the company wrote: "The probability of unauthorized access to the OneTouch Ping system is extremely low... It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network." Even though the company's own technicians were able to hack the pump within a distance of 25 feet, Johnson and Johnson's chief medical officer Brian Levy observed that the hack would be extremely difficult to pull off, and said "We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product."

79 comments

  1. The gauntlet has been thrown by Anonymous Coward · · Score: 2, Insightful

    Now people will hack into these just to prove they can. How many have to die because of J&J being cheap and not fixing them?

    1. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 3, Insightful

      Pretty much anything is hackable if you can get your hands on it. Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder. So if one is smart enough to do it they're probably smart enough to not even try.

    2. Re:The gauntlet has been thrown by Fwipp · · Score: 1

      Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder.

      I'm not sure that's true. I don't see anything in the article saying that it takes very long to carry out, and 25 feet is well within the range of "sitting nearby at a coffee shop."

      Additionally,

      it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.

    3. Re:The gauntlet has been thrown by PCM2 · · Score: 2

      Yikes! I wonder if that's a line-of-sight thing or if you could just drop every diabetic in a 2km range ... you know, for plausible deniability.

      --
      Breakfast served all day!
    4. Re:The gauntlet has been thrown by Guy+Harris · · Score: 2

      Yikes! I wonder if that's a line-of-sight thing or if you could just drop every diabetic in a 2km range

      Only if every diabetic within range of your hacking device is using an insulin pump that your device can hack. Not all diabetics are on insulin, not all diabetics on insulin use insulin pumps, and not all diabetics using insulin pumps are all using the same model with similarly-hackable firmware.

    5. Re:The gauntlet has been thrown by bobbied · · Score: 1

      Actually, the effort required to do this hack is quite high and the risks to the patient is quite low from this hack.

      An overdoes of insulin is indeed dangerous and can cause death if left untreated for an extended time, but diagnosis is easy (a finger prick blood glucose test) and treatment is easier (Drink some juice or a sugared soda).

      So with the extremely high technical requirements to perform the hack from a distance, especially without the victim knowing and the ease of diagnosis and treatment from the resulting over dose of insulin, the chances of lasting harm is astonishingly low, lower than going out with a recall, forcing all these patients to undergo the surgery to remove and replace the implanted devices.

      I'm with J&J, It's just NOT worth the replacement risks.... General Anesthesia has significant risks, much more than somebody hacking your insulin pump on the subway.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    6. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 1

      Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder.

      I'm not sure that's true. I don't see anything in the article saying that it takes very long to carry out, and 25 feet is well within the range of "sitting nearby at a coffee shop."

      Additionally,

      it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.

      Both those situations present a pretty good risk of getting caught. Only so many people in those areas at a given time would have the knowledge of the victim and the capability.

    7. Re:The gauntlet has been thrown by c · · Score: 1

      Considering the proximty and time required for a successful hack

      "Time required" is dependent on how often the devices generate the packets you'd need to hack. Odds are if you park yourself in the middle of a food court or restaurant you'll find a few victims quite easily since pump users need to tweak settings when they sit down to eat.

      As far as proximity or someone being smart enough to do it... it doesn't sound like rocket science and I wouldn't bet against it. A laptop with a $10 RTL2832U/R820T2 dongle is enough to mess with 900MHz signals, so if someone comes up with a script then it's a good bet that a bored dipshit would find it funny to fire it up somewhere.

      --
      Log in or piss off.
    8. Re:The gauntlet has been thrown by techno-vampire · · Score: 1

      Speaking as an insulin-dependent diabetic (I've never been on a pump and don't expect to be in the future.) I can tell you that you're only looking at one side of the coin. The other side is hacking the pump to deliver less insulin than needed, causing the victim to go into a coma caused by high blood sugar. In that case, the proper treatment is insulin, and if the patient is awake and coherent, lots and lots of water to drink so that the kidneys can do their part in flushing it out of the system.

      --
      Good, inexpensive web hosting
    9. Re:The gauntlet has been thrown by Anonymous Coward · · Score: 0

      If you manage to hit someone that just went to sleep, their survival basically depends on if they tend to wake up when their glucose levels sink. Far from everybody does. I'm not even diabetic (though I live with a pump user) - but I wouldn't bet on my survival chances if someone dumped 20-30 units into me while I slept. Without any food that's easily enough for a hypoglycemic coma, and you don't come out of those by force of will alone.

    10. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 1

      p>As far as proximity or someone being smart enough to do it... it doesn't sound like rocket science and I wouldn't bet against it. A laptop with a $10 RTL2832U/R820T2 dongle is enough to mess with 900MHz signals, so if someone comes up with a script then it's a good bet that a bored dipshit would find it funny to fire it up somewhere.

      Funny that type of thing never seems to happen in the real world. Its not like there aren't a lot of opportunities to pull off similar life threatening hacks already, be it cars, medical devices, medical devices. etc. Or even non life threatening ones. Yet I keep hearing this talk like there are these stereotypical bored computer geeks are roving the streets with hacking gear looking to pull off this type of thing.

    11. Re:The gauntlet has been thrown by FatdogHaiku · · Score: 1

      Now Now, Johnson and Johnson's chief medical officer Brian Levy seems very confidant the devices are safe.
      With that in mind maybe he could have one installed in HIM. Bonus points if he walks into a Defcon wearing a name badge.
      A majority of board members joining him would show the company is truly committed to the product...
      I would imagine a few of the biggest investors would also want in on the action, just to bolster stock prices.
      </delusion>

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    12. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 1

      ^and why is it always done in coffee shops?

    13. Re:The gauntlet has been thrown by niftymitch · · Score: 1

      Now people will hack into these just to prove they can.
      How many have to die because of J&J being cheap and not fixing them?

      So these pumps are where? Google google google.
      Cool it is outside the body and connected by a simple Infusion set with standard Luer connector.
      That makes it easy to replace.

      All these bluetooth family of short distance devices are a risk...
      time will tell what JJ does.

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
    14. Re:The gauntlet has been thrown by Pinky's+Brain · · Score: 1

      ToF protection to make NFC truly NFC is still very rare, even though the silicon cost is negligible and it should have been part of the standard from day 1, most of the time a larger antenna is enough to increase distance.

    15. Re:The gauntlet has been thrown by c · · Score: 1

      Funny that type of thing never seems to happen in the real world.

      That we know of.

      But no, I don't think it's happening much yet. Their wireless tech is still quite primitive. I don't think it's going to be a real problem until manufacturers start putting these things on the Internet and open them up to the same people turning IP cameras into botnets. They'll be adding smartphone integration first, of course (most of these devices upload data via USB currently), but inevitably they'll add wifi integration. If they don't learn something about security before then it's going to be bad.

      --
      Log in or piss off.
    16. Re:The gauntlet has been thrown by niftymitch · · Score: 1

      Actually, the effort required to do this hack is quite high and the risks to the patient is quite low from this hack.

      ....

      I'm with J&J, It's just NOT worth the replacement risks.... General Anesthesia has significant risks, much more than somebody hacking your insulin pump on the subway.

      I am with JJ but this does not require surgery to replace.
      It is external and connects to the body with an infusion set with standard Luer connector.

      I can see a software update to the paired system.
      Two devices a blood glucose meter and the infuser.

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
    17. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 1

      If people are dying because of hacked devices, we'd be hearing about it.

    18. Re: The gauntlet has been thrown by Endloser · · Score: 1

      There are people doing that. They're called auditors. You have to be just good enough at security to keep them off your back. The whole point is to keep security ahead of the curve: effort required to secure * value of controlling resource > effort required to obtain * value of gained resource (inclusive of satisfying motivation) If we didn't do this ridiculous draconian thing security could really slip in general to a point we'll have trouble securing it, like transportation signaling equipment. However I don't think they need to take care of it with this model. We likely have a while before the technology to achieve this is ubiquitous enough to make it anymore dangerous than the intense motivation to kill you someone would need to do it like this. I mean a hammer could just as easily assassinate a diabetic.

    19. Re:The gauntlet has been thrown by Bob_Who · · Score: 1

      If people are dying because of hacked devices, we'd be hearing about it.

      Maybe not....

      They hacked the hearing aids too..

    20. Re:The gauntlet has been thrown by Bob_Who · · Score: 1

      You mean like North Korea is trying to do with that plutonium hack...

    21. Re: The gauntlet has been thrown by Anonymous Coward · · Score: 0

      Indeed, why not choose your victim and tail them down I85 during rush hour and hack their pump while they're driving.

    22. Re:The gauntlet has been thrown by Anonymous Coward · · Score: 0

      Lack of imagination?

      i.e. Think about a cybermine planted in a public place and activated randomly.

    23. Re:The gauntlet has been thrown by c · · Score: 1

      Actually, the effort required to do this hack is quite high...

      Not it isn't.

      Actually, I don't know for sure either way, but you have to be a fool to bet that it is. History has shown very consistently that security holes in any given product are always easier to exploit than the vendor will admit to, and they become less and less difficult as time passes without a proper fix.

      Off hand, from the attack demo video the guy is running it off a Pi with a USB RF dongle... probably an obvious application of RTL-SDR. I suspect the biggest hurdle is that you'd need access to one of these pumps to build your attach tool.

      An overdoes of insulin is indeed dangerous and can cause death if left untreated for an extended time...

      You meant "underdose".

      An overdose of insulin lowers blood glucose and results in hypoglycemia, which is extremely dangerous and can cause death very quickly if the diabetic happens to be doing something like, say, driving and doesn't catch the symptoms or blood sugar drops far too quickly. Being asleep would be another bad time to have glucose levels bottom out

      --
      Log in or piss off.
    24. Re:The gauntlet has been thrown by Anonymous Coward · · Score: 0

      Yeah just use a needle and bottles and take six shots a day. Take that hackers. My tin foil hat hurts though.

    25. Re:The gauntlet has been thrown by dbIII · · Score: 1

      A few years ago I talked to a guy from RSA who was making sure that a pacemaker with wireless controls was secured. He had to brush up on Z80 code to do it.
      Today there is no excuse since the hardware is far more capable.

    26. Re:The gauntlet has been thrown by Anonymous Coward · · Score: 0

      If it is external, the damned thing should have a switch on it to enable receiving transmissions. Preferably a momentary switch.

    27. Re:The gauntlet has been thrown by mwvdlee · · Score: 1

      That's because besides the need for some hardware, technical expertese and the right location, you'd also need a psychopathic murderer who can't think of an easier way to kill people.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    28. Re:The gauntlet has been thrown by Opportunist · · Score: 1

      Proximity required? Like, say, in a school cafeteria where some geek prankster who doesn't even know what damage he might do could give it a try?

      Kids don't give a shit about consequences. But fortunately, kids being killed by improper medial equipment cause enough of a stir to get things done. I guess some minor will have to croak so we see something being done, but hey, at least it's not going to kill someone whose education already costed an arm and a leg. From an economic point of view, better some snotty kid than an adult.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    29. Re:The gauntlet has been thrown by AmiMoJo · · Score: 1

      It's of more concern to organisations with diabetic VIPs. Governments, businesses, organized crime (but I repeat myself).

      I seem to recall that certain members of the US government have special medical devices with the radios disabled. Anyone who might be the target of assassination should be worried.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    30. Re:The gauntlet has been thrown by GrumpySteen · · Score: 1

      While the problem does need to be fixed, it's highly unlikely that anyone will die due to a random hacker messing with their device.

      Despite the Hollywood movie stereotype of evil hackers who unleash chaos and destruction on the world, the truth is that most hackers are just curious about how things work and have no desire to cause damage, much less kill people. The closest thing that exists to the stereotype are the hackers who are trying to make a profit without regard to the cost to others, but there's no profit in screwing with someone's insulin pump.

      The only real danger is if someone you know wants to kill you. If that's the case, however, this is just an additional option for the method and you're still likely to wind up dead even if the security on your insulin pump is fixed.

    31. Re:The gauntlet has been thrown by Aaden42 · · Score: 1

      That's where all the l33t h5x0rz are! Everybody knows that!!!

    32. Re:The gauntlet has been thrown by GrumpySteen · · Score: 1

      No. It's RF, so line of sight isn't required, but the article says the range is about 25 feet.

      In addition, you have to capture packets from the remote in order to get the pairing key in order to spoof commands to the pump. Every pump in the vicinity would have to have been paired with the same remote in order for one broadcast to affect them all.

    33. Re:The gauntlet has been thrown by Aaden42 · · Score: 3, Informative

      I wouldn't be so sure. Consider what evidence is left on a device that's been hacked remotely. (I don't know at all, just speculating of course.)

      What if a hacked command to send a lethal overdose looks exactly like the user pressing the buttons to deliver the same dose? Any legal risk minded investigation team is going to be falling over themselves to label that either an "accidental" overdose or perhaps even a suicide rather than let it go down as a security issue in their device that allowed someone to murder the user at a distance by twiddling some buttons. My (cynical) guess would be if the security of an embedded device is such that it can take unauthorized commands over the wire, odds are pretty good it's not going to successfully audit what happened in any meaningful way.

      If it happened en mass, sure. People would put it together, and we'd get a Made for Lifetime movie about the intrepid hero who wouldn't accept the party line and pushed through to discover the horrible truth... Or somesuch drek... But one or two, here & there? We've all seen the bit about automotive recalls at the beginning of that movie we don't talk about, right?

    34. Re: The gauntlet has been thrown by Anonymous Coward · · Score: 0

      Consider who are the only people with the knowledge to investigate a pump 'failure' and consider their legal liability if someone dies due to their pump being hacked via a known but unpatched exploit. It's pretty clear they'd try to cover it up and could succeed if the number of deaths was small.

    35. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 1

      Those kids already can be hurting people in all kinds of ways today. Why are they waiting for this specific opportunity?

    36. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 1

      It depends on how unusual it is for this to happen, as these devices are supposed to be idiot proof.

    37. Re:The gauntlet has been thrown by Opportunist · · Score: 1

      Because in direct confrontations, geeks are usually not really the ones that come out on top.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    38. Re:The gauntlet has been thrown by Mr+D+from+63 · · Score: 1

      There are plenty of ways to hurt people without direct confrontation.

    39. Re:The gauntlet has been thrown by Opportunist · · Score: 1

      And now we have one more. Yay.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Good for them... by Anonymous Coward · · Score: 0

    at least they made a public disclosure.

    1. Re:Good for them... by Bob_Who · · Score: 1

      at least they made a public disclosure.

      EXACTLY.

      After all, EVERYTHING is hackable.

      Just don't say you weren't warned by J & J.

    2. Re:Good for them... by Anonymous Coward · · Score: 0

      No... Everything is NOT hackable... And you have many devices that are not possible to hack remotely.. Sure with physical access almost everything is possible but we are talking about devices that you do not have physical access to.

      You can write secure code that can be proven to be correct and bugfree.

      For this i would say that all control packages coming into the insulin pump should be signed by a public key stored in the controlling device and there would have to be a pairing method (physical contact probably) setup to add that public key as a trusted controller in the pump.

      Of course no private keys should exist outside of these devices after production. Preferably the certificates should be generated on the actual device.

    3. Re:Good for them... by Opportunist · · Score: 1

      No. Bullshit. Not everything is hackable. Not by a long shot. And certainly not without direct physical access.

      Want proof? Here's my laptop. It comes with a physical switch that turns WiFi off. Try to hack it remotely. Oh, you might be able when I turn WiFi on, true, but how about I only do that in a controlled environment, with shielded walls surrounding me and the laptop's peer so I can ensure that only these two devices communicate while WiFi is turned on, and outside the controlled environment, I turn any over-the-air connectivity off.

      You're invited to hack it, but no touching!

      And since the insulin pump in question is outside the body, adding such a switch is trivial at best. But I guess it would cost 5 cents more, so the markup on the device would drop to 999999999%.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Good for them... by Aaden42 · · Score: 1

      In fairness, adding the switch might cost five cents, but adding it to the *design* & getting it recertified would cost millions, easy.

    5. Re:Good for them... by Opportunist · · Score: 1

      You think that recertification will be less expensive after someone died?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:Good for them... by Aaden42 · · Score: 1

      It might be honestly. Might be able to convince the FDA to agree to an accelerated process because of the emergency situation. Never let a good catastrophe go to waste...

      Probabaly easier to sell the cost to stock holders and others who don't get security too when they "have to" do it, as opposed to spending just proactively suring up security that hasn't been broken yet, at least not practically for reals. Anyone in infosec knows firefighting is easier to get funding for than prevention...

    7. Re:Good for them... by Opportunist · · Score: 1

      Sadly this is absolutely logical and most likely correct. Thanks, now I can go home depressed...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:Good for them... by Bob_Who · · Score: 1

      Sadly this is absolutely logical and most likely correct. Thanks, now I can go home depressed...

      Amen.
      Human nature is bug in every design implementation.
      Perhaps that makes it Art.

  3. Do Trump AND Hillary use it? by Bruce66423 · · Score: 1

    If both were to come to a bad end, there would be massive rejoicing...

    1. Re:Do Trump AND Hillary use it? by HiThere · · Score: 2

      Not really. Have you even looked at the VP candidates.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    2. Re:Do Trump AND Hillary use it? by Anonymous Coward · · Score: 0

      If both were to come to a bad end, there would be massive rejoicing...

      No they don't, because Insulin pumps still require a beating heart.

    3. Re:Do Trump AND Hillary use it? by Anonymous Coward · · Score: 0

      I noticed that neither was Palin.

      That's at least a step in the right direction.

  4. *TODO: Insert Subject* by m0hawk · · Score: 1

    Although it is unlikely that a hack will occur, hopefully J&J will look at security more thoroughly in the future. Obviously a person dying due to a faulty, or hacked insulin pump is less expensive than a recall and firmware update.

    Maybe they could just post equipment in major cities that hack the new firmware onto the pumps! No recall, and probability of a hack goes down even further. What on earth could possibly go wrong?!

    At least the quotes don't sound like they were written by a progressive, brand visionary, user centrist methodology PR company; they've admitted that there is a problem, and it wasn't spun to say it was in the best interest of the users (take note HP).

    1. Re: *TODO: Insert Subject* by Anonymous Coward · · Score: 0

      I'm a J&J employee and this is exactly what the customers expect the company to do. It's what is expected of me on the job: if any product has a problem, even if I have nothing to do with the product, we have to report it. Read their credo and you'll see this is the picture of integrity it paints. And TFA says they're working on a solution with the researcher.

  5. yes, no and kinda by Gravis+Zero · · Score: 1

    “The probability of unauthorized access to the OneTouch Ping system is extremely low It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”

    • - technical expertise - yes
    • - sophisticated equipment - a $15 dongle to do SDR
    • - proximity to the pump - come within 20 feet of of the pump and you can hack it. anything internet connected that can communicate at 900 MHz could potentially hack the device

    if someone was targeting you (especially a nation-state) and wanted to kill you, this would be a great way of doing it.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:yes, no and kinda by amiga3D · · Score: 1

      My wife's Medtronic Insulin pump requires actually pushing an acknowledgment button before it will deliver insulin.

    2. Re:yes, no and kinda by Gravis+Zero · · Score: 1

      that's nice but when it's hacked to deliver the wrong amount?

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:yes, no and kinda by amiga3D · · Score: 3, Informative

      Well, it gets the reading remotely from the blood glucose meter and calculates the dose. It then displays the amount of insulin for the bolus delivery. You look at it and generally, if you've been using a pump or doing injections you know about what range you usually end up taking. If it's off a lot it should be obvious as long as you're actually alert. When it comes to things like that being observant is important.

    4. Re:yes, no and kinda by Anonymous Coward · · Score: 0

      But if you can hack it, is the display still telling the truth?

    5. Re:yes, no and kinda by slash.dt · · Score: 1

      Well, it gets the reading remotely from the blood glucose meter and calculates the dose. It then displays the amount of insulin for the bolus delivery. You look at it and generally, if you've been using a pump or doing injections you know about what range you usually end up taking. If it's off a lot it should be obvious as long as you're actually alert. When it comes to things like that being observant is important.

      Using the bolus wizard is one path through the menus but is not the only one. If you have remotely connected to the pump you can tell it to deliver without requiring the user to press any buttons. Medtronic have turned off some of the remote ability with the firmware in their later pumps, unfortunately that has also denied access to projects such as OpenAPS. I would like to see some ability to pair known devices together rather than cutting off all access completely.

    6. Re:yes, no and kinda by Anonymous Coward · · Score: 0

      amiga3D, which I'm ashamed to admit is a fellow Amiga user, is also a hardcore Linux zealot. Their kind doesn't think correctly. So, he's not going to understand no matter how you explain it to him.

    7. Re:yes, no and kinda by c · · Score: 1

      My wife's Medtronic Insulin pump requires actually pushing an acknowledgment button before it will deliver insulin.

      My wife just switched to an OmniPod, which doesn't have a UI of any sort on the pump unit itself. The controller commnunicates with the pump using what I believe is 433MHz FSK coding, and quite frankly I'm a terrified to start playing with a 433MHz capture board within range of her because I have a bad feeling about what I'll find...

      That main thing that prevents a bolus overdose attack is that pumps make enough noise when they dispense a bolus that the wearer would notice it. However, if you increased the basal (especially overnight) it's quite possible they wouldn't catch that...

      --
      Log in or piss off.
    8. Re:yes, no and kinda by amiga3D · · Score: 1

      Ah...anonymous coward, I understand that while anything is possible, some things are so remotely possible as to be very nearly impossible. There is no way to make something absolutely impossible to hack. You simply make it so hard that people get tired and go find the low hanging fruit.

    9. Re:yes, no and kinda by amiga3D · · Score: 1

      I know my wife doesn't use the remote. She has one but it's just too easy to pull the pump up, look at it and okay the dose. The remote adds complexity and of course while hacking would not be that easy it could be done.

  6. Part of the problem is archaic compliance testing by burtosis · · Score: 1, Interesting

    I'm pretty sure most readers here will agree medical devices in critical applications need to be regulated and tested to a high degree. But the system was never designed around devices with internet connectivity and other communication technology. There isn't even a realistic way to upgrade the security or install patches on these devices without repeating the entire certification process in most cases. The medical community needs to update thier security in some sane and reasonable way. I mean they were almost unable to get 21st century databases (still don't in many cases) the security on devices should be the next big area to be reformed.

  7. Playing both sides? by slincolne · · Score: 1
    Interesting approach to the problem:

    On one hand they are fulfilling their duty of care by disclosing this information to the public so they can make an informed decision; and

    On the other hand they are protecting their shareholders by suggesting that the devices are safe and people can continue to use them.

    It's a sad thing when the profit motive is put ahead of patient safety, however I suspect we will see a lot more of this as the 'Internet of Things' and 'eHealth' agendas collide on the desk of medical professionals who think they are experts but in fact are not.

    Welcome to the impending risk of death by technology.

  8. The Right Discussion by Anonymous Coward · · Score: 1

    I'd like to point out, and this is refreshing, that because Johnson and Johnson disclosed this themselves, with some details, that the discussion on here is the right one. People are discussing severity, risk and impact.

  9. If they inform customers... by gweihir · · Score: 1

    Then the risk is not "extremely low". If it where that, they would just sweep their incompetence under the carpet...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  10. Re:Part of the problem is archaic compliance testi by freeze128 · · Score: 1

    The pump shouldn't be connected to the internet... It doesn't need to be. It probably doesn't even need Bluetooth, but probably has some sort of remote diagnostic ability so it can dump log files.... But this whole thing is moot anyway. Didn't the FDA just approve a closed-loop artificial pancreas? It looks like a good time to upgrade, and feel better!

  11. Re:Part of the problem is archaic compliance testi by havana9 · · Score: 1

    The pump uses a proprietary protocol on 900 MHz ISM band. It is nor Bluetooth neither uses TCP/IP. So to interfere with the device one has to be in the proximity and having a system to send fake commands: it's a lot like the problems one could have with garage door openers rather than the ones with IoT things. Luckily J&J didn't followed the easy route, mabye because the pumps has to run on a small 8 bit microcontroller and adding a TCP/IP stack was unfeasible.

  12. On the contrary by aepervius · · Score: 1

    That is nearly 8 meter. So you only need to be in proximity doing nothing reading a book while your conspicuously hidden laptop is doing the job, with scripts already prepared is trying. Then once the max dose of insuline is given you can simply safely go. Remember that the effect will not be *immediate* has if it was cyanide administered, the blood sugar will take a bit of time to be absorbed. So yeah. The risk of being charged is actually much lower than you think it is. If nobody catch you red handed with a laptop, then once symptom start to apepar just calmly head for the exit, and wipeout your laptop.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
    1. Re:On the contrary by Mr+D+from+63 · · Score: 1

      Only you forgot most public areas have video cameras. You'd be surprise how quickly a suspect list can be narrowed down.

  13. Re:Part of the problem is archaic compliance testi by Anonymous Coward · · Score: 0

    I would skip the requirement for testing and instead just propose self-certification process

    - DH for handshake.
    - All communication encrypted with at least a AES256 key (from the DH handshake)
    - Encryption key refresh time should be X minutes or Y bytes (whatever comes first).... (X and Y TBD)
    - All packages sent containing counters to prevent a replay-attacks. ( ie similar parts to that in TCP used for reliability )
    - When pairing devices new private/public keypairs should be generated on the fly via a HW based RNG ( rng requirements TBD )
    - Pairing of devices should require physical contact between them. (i2c port or similar) for the public key sharing.
    - Pairing must be done via storing a sha256 of the public key or storing the full public key of the paired device locally.
    - If the communication channel for the devices is broken the vendor of the device will have to pay $5M in fines and $5M in finder's-fee to the security researcher that managed to exploit it. Vendor would also be responsible for updating or replacing all used devices in the field at no cost to the end user. ( disclosure method TBD )

    If this were to happen i can see that there would be a big boom both in the electronics-business to provide SoC's suitable for the purpose, and can also see security-companies developing standardized stacks that then can be used by multiple companies..

    What's happening right now is the worst possible situation where you have a crap-load of companies producing things and implementing their own security-schemes.. and they probably ignore the developers asking for a security-review of the stuff they wrote..

  14. Re:Part of the problem is archaic compliance testi by AmiMoJo · · Score: 1

    Can someone explain why it even has a radio communication system? Why not just have a USB port for reprogramming?

    I appreciate that wireless is convenient, but it's also a huge attack surface, and it appears that if there was any authentication at all then it's extremely weak.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  15. Re:Part of the problem is archaic compliance testi by Anonymous Coward · · Score: 0

    The problem is that the device and communication layer are not separate. The system that FDA cares about most should be the pump and controller -- those have to be right for the device to function with sufficient accuracy and precision. Then the transit layer for communicating with the device should be a *separate* system serving as an information router with hair trigger firewall. If there's a problem with the communication layer security then you want to "remote disable" and only allow re-enable if you have physical access to the device. Yes, it means a hacker could, in principle disable the device connection (DOS attack). But a separation of the responsibilities means the pump controller can be designed to do the right thing (DTRT) if the comm system goes away ... some applications that could be turning off, or it could be staying the course.

  16. Re:Part of the problem is archaic compliance testi by cdrudge · · Score: 1

    Didn't the FDA just approve a closed-loop artificial pancreas?

    Yes, although calling it an artificial pancreas is a lot like calling an iron lung an artificial lung. The device works in conjunction with an insulin pump and continuous glucose monitor, sampling every 5 minutes glucose levels and dosing insulin in response. It's a hybrid system though that only handles basal insulin while bolus insulin from meals needs to be manually specified, as well as periods of exercising.

    The FDA specifically worked with MedTronic to accelerate the pre-market compliance testing that usually grinds development slowly.

    As a type-2 diabetic, the system isn't designed for me yet, but it is exciting to see development in the area. Maybe one day I can just wear a watch like device that takes care of all my monitoring and dosing and missed injections and going hypo- or hyper-glycemic will be a thing of the past.

  17. Re:Part of the problem is archaic compliance testi by Anonymous Coward · · Score: 0

    Can someone explain why it even has a radio communication system? Why not just have a USB port for reprogramming?

    I appreciate that wireless is convenient, but it's also a huge attack surface, and it appears that if there was any authentication at all then it's extremely weak.

    Sure, I can quote the article for you:

    The Animas OneTouch Ping, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and can be awkward to reach.

  18. Re:Part of the problem is archaic compliance testi by Anonymous Coward · · Score: 0

    Wait, so a major design change like adding wireless networking requires re-certification? Crazy!

    Seriously, though, I think it makes sense to require re-certification. And, clearly, certification needs some sort of security component as well today. If the certification is unnecessarily onerous, though, that is something we should address.