The Animas OneTouch Ping has some flaws in it that can be remotely exploited, and the two flaws were disclosed by the parent companies, Rapid7 and Johnson & Johnson. The two also say that the attack is sophisticated and the risk of exploitation at the moment is relatively low.
The Animas OneTouch Ping is a medical device that is equipped with a wireless remote control and can help patients deliver some insulin instead of doing it under the clothes. The device is said to be in a two-part system, which contains the pump and the meter remote. The two communicate wirelessly over the RF communication so that it can deliver the insulin straight from the pump.
Jay Radcliffe was the researcher responsible for discovering the flaws in the pump. He is a diabetic and has been responsible for discovering some flaws in other pumps, and he also works at Rapid7. Radcliffe noticed that the OneTouch Ping device was not making use of encryption in its communication, and attackers could change the communications between the pump and the remote and force some doses of insulin even when they were not needed. Rapid7 also confirmed that because of the clear text put there, attackers could easily spoof the communications and trigger insulin doses.
The step taken by Johnson & Johnson in revealing the flaw is unprecedented as they have become the first manufacturer to actually reveal flaws contained in their products. The company, according to reports, is said to have sent letters to doctors across the globe and patients numbering 114,000 who are known to be using the device in Canada and the United States. In the statement, the company wrote that the possibility of exploitation was really low.
Rapid7 said that it believed the attacks could do by people who have stationed at least one or two kilometres away, but in some cases could be further if they managed to use the substantial elevation and off the shelf radio transmission gear available to ham the radio hobbyists.
Radcliffe clarified that most of the people are at a very limited risk of being affected by the flaw since he did not want non-technical diabetics’ people to panic. He goes on to say that the attack is very sophisticated and it requires the attackers to be physically close to the pump. He also advised against freaking out and abruptly removing the pump and likened the act of removing the pump over the risk as never taking an aeroplane because it might crash.
He, however, noted that as the technology of the device increased and the continually were connected to the Internet then definitely the risk would also increase.