Johnson & Johnson Discloses That Its Insulin Pump Is Hackable

An anonymous reader quotes a report from The Stack: Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low. Unnamed executives from the American multinational medical manufacturer said that they were taking the unprecedented step of warning customers about the vulnerability, particularly in light of recent controversies regarding attack vectors in cardiac equipment. In a letter to doctors and 114,000 patients, sent on Monday, the company wrote: "The probability of unauthorized access to the OneTouch Ping system is extremely low... It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network." Even though the company's own technicians were able to hack the pump within a distance of 25 feet, Johnson and Johnson's chief medical officer Brian Levy observed that the hack would be extremely difficult to pull off, and said "We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product."

The gauntlet has been thrown

Now people will hack into these just to prove they can. How many have to die because of J&J being cheap and not fixing them?

Re:The gauntlet has been thrown

[Mr+D+from+63]

Pretty much anything is hackable if you can get your hands on it. Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder. So if one is smart enough to do it they're probably smart enough to not even try.

Re:The gauntlet has been thrown

[Fwipp]

Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder.

I'm not sure that's true. I don't see anything in the article saying that it takes very long to carry out, and 25 feet is well within the range of "sitting nearby at a coffee shop."

Additionally,

it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.

Re:The gauntlet has been thrown

[PCM2]

Yikes! I wonder if that's a line-of-sight thing or if you could just drop every diabetic in a 2km range ... you know, for plausible deniability.

Re:The gauntlet has been thrown

[Guy+Harris]

Yikes! I wonder if that's a line-of-sight thing or if you could just drop every diabetic in a 2km range

Only if every diabetic within range of your hacking device is using an insulin pump that your device can hack. Not all diabetics are on insulin, not all diabetics on insulin use insulin pumps, and not all diabetics using insulin pumps are all using the same model with similarly-hackable firmware.

Re:The gauntlet has been thrown

[bobbied]

Actually, the effort required to do this hack is quite high and the risks to the patient is quite low from this hack.

An overdoes of insulin is indeed dangerous and can cause death if left untreated for an extended time, but diagnosis is easy (a finger prick blood glucose test) and treatment is easier (Drink some juice or a sugared soda).

So with the extremely high technical requirements to perform the hack from a distance, especially without the victim knowing and the ease of diagnosis and treatment from the resulting over dose of insulin, the chances of lasting harm is astonishingly low, lower than going out with a recall, forcing all these patients to undergo the surgery to remove and replace the implanted devices.

I'm with J&J, It's just NOT worth the replacement risks.... General Anesthesia has significant risks, much more than somebody hacking your insulin pump on the subway.

Re:The gauntlet has been thrown

[Mr+D+from+63]

Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder.

I'm not sure that's true. I don't see anything in the article saying that it takes very long to carry out, and 25 feet is well within the range of "sitting nearby at a coffee shop."

Additionally,

it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.

Both those situations present a pretty good risk of getting caught. Only so many people in those areas at a given time would have the knowledge of the victim and the capability.

Re:The gauntlet has been thrown

[c]

Considering the proximty and time required for a successful hack

"Time required" is dependent on how often the devices generate the packets you'd need to hack. Odds are if you park yourself in the middle of a food court or restaurant you'll find a few victims quite easily since pump users need to tweak settings when they sit down to eat.

As far as proximity or someone being smart enough to do it... it doesn't sound like rocket science and I wouldn't bet against it. A laptop with a $10 RTL2832U/R820T2 dongle is enough to mess with 900MHz signals, so if someone comes up with a script then it's a good bet that a bored dipshit would find it funny to fire it up somewhere.

Re:The gauntlet has been thrown

[techno-vampire]

Speaking as an insulin-dependent diabetic (I've never been on a pump and don't expect to be in the future.) I can tell you that you're only looking at one side of the coin. The other side is hacking the pump to deliver less insulin than needed, causing the victim to go into a coma caused by high blood sugar. In that case, the proper treatment is insulin, and if the patient is awake and coherent, lots and lots of water to drink so that the kidneys can do their part in flushing it out of the system.

Re:The gauntlet has been thrown

[Mr+D+from+63]

p>As far as proximity or someone being smart enough to do it... it doesn't sound like rocket science and I wouldn't bet against it. A laptop with a $10 RTL2832U/R820T2 dongle is enough to mess with 900MHz signals, so if someone comes up with a script then it's a good bet that a bored dipshit would find it funny to fire it up somewhere.

Funny that type of thing never seems to happen in the real world. Its not like there aren't a lot of opportunities to pull off similar life threatening hacks already, be it cars, medical devices, medical devices. etc. Or even non life threatening ones. Yet I keep hearing this talk like there are these stereotypical bored computer geeks are roving the streets with hacking gear looking to pull off this type of thing.

Re:The gauntlet has been thrown

[FatdogHaiku]

Now Now, Johnson and Johnson's chief medical officer Brian Levy seems very confidant the devices are safe.
With that in mind maybe he could have one installed in HIM. Bonus points if he walks into a Defcon wearing a name badge.
A majority of board members joining him would show the company is truly committed to the product...
I would imagine a few of the biggest investors would also want in on the action, just to bolster stock prices.
</delusion>

Re:The gauntlet has been thrown

[Mr+D+from+63]

^and why is it always done in coffee shops?

Re:The gauntlet has been thrown

[niftymitch]

Now people will hack into these just to prove they can.
How many have to die because of J&J being cheap and not fixing them?

So these pumps are where? Google google google.
Cool it is outside the body and connected by a simple Infusion set with standard Luer connector.
That makes it easy to replace.

All these bluetooth family of short distance devices are a risk...
time will tell what JJ does.

Re:The gauntlet has been thrown

[Pinky's+Brain]

ToF protection to make NFC truly NFC is still very rare, even though the silicon cost is negligible and it should have been part of the standard from day 1, most of the time a larger antenna is enough to increase distance.

Re:The gauntlet has been thrown

[c]

Funny that type of thing never seems to happen in the real world.

That we know of.

But no, I don't think it's happening much yet. Their wireless tech is still quite primitive. I don't think it's going to be a real problem until manufacturers start putting these things on the Internet and open them up to the same people turning IP cameras into botnets. They'll be adding smartphone integration first, of course (most of these devices upload data via USB currently), but inevitably they'll add wifi integration. If they don't learn something about security before then it's going to be bad.

Re:The gauntlet has been thrown

[niftymitch]

Actually, the effort required to do this hack is quite high and the risks to the patient is quite low from this hack.

....

I'm with J&J, It's just NOT worth the replacement risks.... General Anesthesia has significant risks, much more than somebody hacking your insulin pump on the subway.

I am with JJ but this does not require surgery to replace.
It is external and connects to the body with an infusion set with standard Luer connector.

I can see a software update to the paired system.
Two devices a blood glucose meter and the infuser.

Re:The gauntlet has been thrown

[Mr+D+from+63]

If people are dying because of hacked devices, we'd be hearing about it.

Re: The gauntlet has been thrown

[Endloser]

There are people doing that. They're called auditors. You have to be just good enough at security to keep them off your back. The whole point is to keep security ahead of the curve: effort required to secure * value of controlling resource > effort required to obtain * value of gained resource (inclusive of satisfying motivation) If we didn't do this ridiculous draconian thing security could really slip in general to a point we'll have trouble securing it, like transportation signaling equipment. However I don't think they need to take care of it with this model. We likely have a while before the technology to achieve this is ubiquitous enough to make it anymore dangerous than the intense motivation to kill you someone would need to do it like this. I mean a hammer could just as easily assassinate a diabetic.

Re:The gauntlet has been thrown

[Bob_Who]

If people are dying because of hacked devices, we'd be hearing about it.

Maybe not....

They hacked the hearing aids too..

Re:The gauntlet has been thrown

[Bob_Who]

You mean like North Korea is trying to do with that plutonium hack...

Re:The gauntlet has been thrown

[c]

Actually, the effort required to do this hack is quite high...

Not it isn't.

Actually, I don't know for sure either way, but you have to be a fool to bet that it is. History has shown very consistently that security holes in any given product are always easier to exploit than the vendor will admit to, and they become less and less difficult as time passes without a proper fix.

Off hand, from the attack demo video the guy is running it off a Pi with a USB RF dongle... probably an obvious application of RTL-SDR. I suspect the biggest hurdle is that you'd need access to one of these pumps to build your attach tool.

An overdoes of insulin is indeed dangerous and can cause death if left untreated for an extended time...

You meant "underdose".

An overdose of insulin lowers blood glucose and results in hypoglycemia, which is extremely dangerous and can cause death very quickly if the diabetic happens to be doing something like, say, driving and doesn't catch the symptoms or blood sugar drops far too quickly. Being asleep would be another bad time to have glucose levels bottom out

Re:The gauntlet has been thrown

[dbIII]

A few years ago I talked to a guy from RSA who was making sure that a pacemaker with wireless controls was secured. He had to brush up on Z80 code to do it.
Today there is no excuse since the hardware is far more capable.

Re:The gauntlet has been thrown

[mwvdlee]

That's because besides the need for some hardware, technical expertese and the right location, you'd also need a psychopathic murderer who can't think of an easier way to kill people.

Re:The gauntlet has been thrown

[Opportunist]

Proximity required? Like, say, in a school cafeteria where some geek prankster who doesn't even know what damage he might do could give it a try?

Kids don't give a shit about consequences. But fortunately, kids being killed by improper medial equipment cause enough of a stir to get things done. I guess some minor will have to croak so we see something being done, but hey, at least it's not going to kill someone whose education already costed an arm and a leg. From an economic point of view, better some snotty kid than an adult.

Re:The gauntlet has been thrown

[AmiMoJo]

It's of more concern to organisations with diabetic VIPs. Governments, businesses, organized crime (but I repeat myself).

I seem to recall that certain members of the US government have special medical devices with the radios disabled. Anyone who might be the target of assassination should be worried.

Re:The gauntlet has been thrown

[GrumpySteen]

While the problem does need to be fixed, it's highly unlikely that anyone will die due to a random hacker messing with their device.

Despite the Hollywood movie stereotype of evil hackers who unleash chaos and destruction on the world, the truth is that most hackers are just curious about how things work and have no desire to cause damage, much less kill people. The closest thing that exists to the stereotype are the hackers who are trying to make a profit without regard to the cost to others, but there's no profit in screwing with someone's insulin pump.

The only real danger is if someone you know wants to kill you. If that's the case, however, this is just an additional option for the method and you're still likely to wind up dead even if the security on your insulin pump is fixed.

Re:The gauntlet has been thrown

[Aaden42]

That's where all the l33t h5x0rz are! Everybody knows that!!!

Re:The gauntlet has been thrown

[GrumpySteen]

No. It's RF, so line of sight isn't required, but the article says the range is about 25 feet.

In addition, you have to capture packets from the remote in order to get the pairing key in order to spoof commands to the pump. Every pump in the vicinity would have to have been paired with the same remote in order for one broadcast to affect them all.

Re:The gauntlet has been thrown

[Aaden42]

I wouldn't be so sure. Consider what evidence is left on a device that's been hacked remotely. (I don't know at all, just speculating of course.)

What if a hacked command to send a lethal overdose looks exactly like the user pressing the buttons to deliver the same dose? Any legal risk minded investigation team is going to be falling over themselves to label that either an "accidental" overdose or perhaps even a suicide rather than let it go down as a security issue in their device that allowed someone to murder the user at a distance by twiddling some buttons. My (cynical) guess would be if the security of an embedded device is such that it can take unauthorized commands over the wire, odds are pretty good it's not going to successfully audit what happened in any meaningful way.

If it happened en mass, sure. People would put it together, and we'd get a Made for Lifetime movie about the intrepid hero who wouldn't accept the party line and pushed through to discover the horrible truth... Or somesuch drek... But one or two, here & there? We've all seen the bit about automotive recalls at the beginning of that movie we don't talk about, right?

Re:The gauntlet has been thrown

[Mr+D+from+63]

Those kids already can be hurting people in all kinds of ways today. Why are they waiting for this specific opportunity?

Re:The gauntlet has been thrown

[Mr+D+from+63]

It depends on how unusual it is for this to happen, as these devices are supposed to be idiot proof.

Re:The gauntlet has been thrown

[Opportunist]

Because in direct confrontations, geeks are usually not really the ones that come out on top.

Re:The gauntlet has been thrown

[Mr+D+from+63]

There are plenty of ways to hurt people without direct confrontation.

Re:The gauntlet has been thrown

[Opportunist]

And now we have one more. Yay.

Do Trump AND Hillary use it?

[Bruce66423]

If both were to come to a bad end, there would be massive rejoicing...

Re:Do Trump AND Hillary use it?

[HiThere]

Not really. Have you even looked at the VP candidates.

*TODO: Insert Subject*

[m0hawk]

Although it is unlikely that a hack will occur, hopefully J&J will look at security more thoroughly in the future. Obviously a person dying due to a faulty, or hacked insulin pump is less expensive than a recall and firmware update.

Maybe they could just post equipment in major cities that hack the new firmware onto the pumps! No recall, and probability of a hack goes down even further. What on earth could possibly go wrong?!

At least the quotes don't sound like they were written by a progressive, brand visionary, user centrist methodology PR company; they've admitted that there is a problem, and it wasn't spun to say it was in the best interest of the users (take note HP).

Re:Good for them...

[Bob_Who]

at least they made a public disclosure.

EXACTLY.

After all, EVERYTHING is hackable.

Just don't say you weren't warned by J & J.

yes, no and kinda

[Gravis+Zero]

“The probability of unauthorized access to the OneTouch Ping system is extremely low It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”

• - technical expertise - yes
• - sophisticated equipment - a $15 dongle to do SDR
• - proximity to the pump - come within 20 feet of of the pump and you can hack it. anything internet connected that can communicate at 900 MHz could potentially hack the device

if someone was targeting you (especially a nation-state) and wanted to kill you, this would be a great way of doing it.

Re:yes, no and kinda

[amiga3D]

My wife's Medtronic Insulin pump requires actually pushing an acknowledgment button before it will deliver insulin.

Re:yes, no and kinda

[Gravis+Zero]

that's nice but when it's hacked to deliver the wrong amount?

Re:yes, no and kinda

[amiga3D]

Well, it gets the reading remotely from the blood glucose meter and calculates the dose. It then displays the amount of insulin for the bolus delivery. You look at it and generally, if you've been using a pump or doing injections you know about what range you usually end up taking. If it's off a lot it should be obvious as long as you're actually alert. When it comes to things like that being observant is important.

Re:yes, no and kinda

[slash.dt]

Well, it gets the reading remotely from the blood glucose meter and calculates the dose. It then displays the amount of insulin for the bolus delivery. You look at it and generally, if you've been using a pump or doing injections you know about what range you usually end up taking. If it's off a lot it should be obvious as long as you're actually alert. When it comes to things like that being observant is important.

Using the bolus wizard is one path through the menus but is not the only one. If you have remotely connected to the pump you can tell it to deliver without requiring the user to press any buttons. Medtronic have turned off some of the remote ability with the firmware in their later pumps, unfortunately that has also denied access to projects such as OpenAPS. I would like to see some ability to pair known devices together rather than cutting off all access completely.

Re:yes, no and kinda

[c]

My wife's Medtronic Insulin pump requires actually pushing an acknowledgment button before it will deliver insulin.

My wife just switched to an OmniPod, which doesn't have a UI of any sort on the pump unit itself. The controller commnunicates with the pump using what I believe is 433MHz FSK coding, and quite frankly I'm a terrified to start playing with a 433MHz capture board within range of her because I have a bad feeling about what I'll find...

That main thing that prevents a bolus overdose attack is that pumps make enough noise when they dispense a bolus that the wearer would notice it. However, if you increased the basal (especially overnight) it's quite possible they wouldn't catch that...

Re:yes, no and kinda

[amiga3D]

Ah...anonymous coward, I understand that while anything is possible, some things are so remotely possible as to be very nearly impossible. There is no way to make something absolutely impossible to hack. You simply make it so hard that people get tired and go find the low hanging fruit.

Re:yes, no and kinda

[amiga3D]

I know my wife doesn't use the remote. She has one but it's just too easy to pull the pump up, look at it and okay the dose. The remote adds complexity and of course while hacking would not be that easy it could be done.

Part of the problem is archaic compliance testing

[burtosis]

I'm pretty sure most readers here will agree medical devices in critical applications need to be regulated and tested to a high degree. But the system was never designed around devices with internet connectivity and other communication technology. There isn't even a realistic way to upgrade the security or install patches on these devices without repeating the entire certification process in most cases. The medical community needs to update thier security in some sane and reasonable way. I mean they were almost unable to get 21st century databases (still don't in many cases) the security on devices should be the next big area to be reformed.

Playing both sides?

[slincolne]

Interesting approach to the problem:

On one hand they are fulfilling their duty of care by disclosing this information to the public so they can make an informed decision; and

On the other hand they are protecting their shareholders by suggesting that the devices are safe and people can continue to use them.

It's a sad thing when the profit motive is put ahead of patient safety, however I suspect we will see a lot more of this as the 'Internet of Things' and 'eHealth' agendas collide on the desk of medical professionals who think they are experts but in fact are not.

Welcome to the impending risk of death by technology.

The Right Discussion

I'd like to point out, and this is refreshing, that because Johnson and Johnson disclosed this themselves, with some details, that the discussion on here is the right one. People are discussing severity, risk and impact.

If they inform customers...

[gweihir]

Then the risk is not "extremely low". If it where that, they would just sweep their incompetence under the carpet...

Re:Part of the problem is archaic compliance testi

[freeze128]

The pump shouldn't be connected to the internet... It doesn't need to be. It probably doesn't even need Bluetooth, but probably has some sort of remote diagnostic ability so it can dump log files.... But this whole thing is moot anyway. Didn't the FDA just approve a closed-loop artificial pancreas? It looks like a good time to upgrade, and feel better!

Re:Part of the problem is archaic compliance testi

[havana9]

The pump uses a proprietary protocol on 900 MHz ISM band. It is nor Bluetooth neither uses TCP/IP. So to interfere with the device one has to be in the proximity and having a system to send fake commands: it's a lot like the problems one could have with garage door openers rather than the ones with IoT things. Luckily J&J didn't followed the easy route, mabye because the pumps has to run on a small 8 bit microcontroller and adding a TCP/IP stack was unfeasible.

On the contrary

[aepervius]

That is nearly 8 meter. So you only need to be in proximity doing nothing reading a book while your conspicuously hidden laptop is doing the job, with scripts already prepared is trying. Then once the max dose of insuline is given you can simply safely go. Remember that the effect will not be *immediate* has if it was cyanide administered, the blood sugar will take a bit of time to be absorbed. So yeah. The risk of being charged is actually much lower than you think it is. If nobody catch you red handed with a laptop, then once symptom start to apepar just calmly head for the exit, and wipeout your laptop.

Re:On the contrary

[Mr+D+from+63]

Only you forgot most public areas have video cameras. You'd be surprise how quickly a suspect list can be narrowed down.

Re:Good for them...

[Opportunist]

No. Bullshit. Not everything is hackable. Not by a long shot. And certainly not without direct physical access.

Want proof? Here's my laptop. It comes with a physical switch that turns WiFi off. Try to hack it remotely. Oh, you might be able when I turn WiFi on, true, but how about I only do that in a controlled environment, with shielded walls surrounding me and the laptop's peer so I can ensure that only these two devices communicate while WiFi is turned on, and outside the controlled environment, I turn any over-the-air connectivity off.

You're invited to hack it, but no touching!

And since the insulin pump in question is outside the body, adding such a switch is trivial at best. But I guess it would cost 5 cents more, so the markup on the device would drop to 999999999%.

Re:Part of the problem is archaic compliance testi

[AmiMoJo]

Can someone explain why it even has a radio communication system? Why not just have a USB port for reprogramming?

I appreciate that wireless is convenient, but it's also a huge attack surface, and it appears that if there was any authentication at all then it's extremely weak.

Re:Part of the problem is archaic compliance testi

[cdrudge]

Didn't the FDA just approve a closed-loop artificial pancreas?

Yes, although calling it an artificial pancreas is a lot like calling an iron lung an artificial lung. The device works in conjunction with an insulin pump and continuous glucose monitor, sampling every 5 minutes glucose levels and dosing insulin in response. It's a hybrid system though that only handles basal insulin while bolus insulin from meals needs to be manually specified, as well as periods of exercising.

The FDA specifically worked with MedTronic to accelerate the pre-market compliance testing that usually grinds development slowly.

As a type-2 diabetic, the system isn't designed for me yet, but it is exciting to see development in the area. Maybe one day I can just wear a watch like device that takes care of all my monitoring and dosing and missed injections and going hypo- or hyper-glycemic will be a thing of the past.

Re:Good for them...

[Aaden42]

In fairness, adding the switch might cost five cents, but adding it to the *design* & getting it recertified would cost millions, easy.

Re:Good for them...

[Opportunist]

You think that recertification will be less expensive after someone died?

Re:Good for them...

[Aaden42]

It might be honestly. Might be able to convince the FDA to agree to an accelerated process because of the emergency situation. Never let a good catastrophe go to waste...

Probabaly easier to sell the cost to stock holders and others who don't get security too when they "have to" do it, as opposed to spending just proactively suring up security that hasn't been broken yet, at least not practically for reals. Anyone in infosec knows firefighting is easier to get funding for than prevention...

Re:Good for them...

[Opportunist]

Sadly this is absolutely logical and most likely correct. Thanks, now I can go home depressed...

Re:Good for them...

[Bob_Who]

Sadly this is absolutely logical and most likely correct. Thanks, now I can go home depressed...

Amen.
Human nature is bug in every design implementation.
Perhaps that makes it Art.