Slashdot Mirror

← Back to Stories (view on slashdot.org)

Johnson & Johnson Discloses That Its Insulin Pump Is Hackable (thestack.com)

Posted by BeauHD on from the medical-emergency dept.

An anonymous reader quotes a report from The Stack: Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low. Unnamed executives from the American multinational medical manufacturer said that they were taking the unprecedented step of warning customers about the vulnerability, particularly in light of recent controversies regarding attack vectors in cardiac equipment. In a letter to doctors and 114,000 patients, sent on Monday, the company wrote: "The probability of unauthorized access to the OneTouch Ping system is extremely low... It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network." Even though the company's own technicians were able to hack the pump within a distance of 25 feet, Johnson and Johnson's chief medical officer Brian Levy observed that the hack would be extremely difficult to pull off, and said "We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product."

2 of 79 comments (clear)

  1. Re:yes, no and kinda by amiga3D · · Score: 3, Informative

    Well, it gets the reading remotely from the blood glucose meter and calculates the dose. It then displays the amount of insulin for the bolus delivery. You look at it and generally, if you've been using a pump or doing injections you know about what range you usually end up taking. If it's off a lot it should be obvious as long as you're actually alert. When it comes to things like that being observant is important.

  2. Re:The gauntlet has been thrown by Aaden42 · · Score: 3, Informative

    I wouldn't be so sure. Consider what evidence is left on a device that's been hacked remotely. (I don't know at all, just speculating of course.)

    What if a hacked command to send a lethal overdose looks exactly like the user pressing the buttons to deliver the same dose? Any legal risk minded investigation team is going to be falling over themselves to label that either an "accidental" overdose or perhaps even a suicide rather than let it go down as a security issue in their device that allowed someone to murder the user at a distance by twiddling some buttons. My (cynical) guess would be if the security of an embedded device is such that it can take unauthorized commands over the wire, odds are pretty good it's not going to successfully audit what happened in any meaningful way.

    If it happened en mass, sure. People would put it together, and we'd get a Made for Lifetime movie about the intrepid hero who wouldn't accept the party line and pushed through to discover the horrible truth... Or somesuch drek... But one or two, here & there? We've all seen the bit about automotive recalls at the beginning of that movie we don't talk about, right?