Johnson & Johnson created insulin pump for diabetic patients but little did the company know of the risks it is putting its consumers. The company wanted to help ease the patients lives, but it seems that it overlooked some risks.
Johnson & Johnson and Animas recently warned their customers against possible attackers that may hack their OneTouch Insulin Infusion Pump.
Vulnerabilities When Using Insulin Pump
Researchers from Rapid7 discovered some fatal vulnerabilities in the data encryption of the OneTouch Insuilin Infusion Pump, which they raised to Johnson & Johnson, ZD Net reported.
The pump works with two devices: the meter and the pump that communicate wirelessly.
Jay Radcliffe, a Rapid7 researcher, mentioned that the first vulnerability CVE-2016-5084 revealed that the data transmitted between these two devices can be easily tapped into. J&J has apparently failed to provide proper encryption for these devices, so hackers can get information like dosage data and blood glucose.
The second vulnerability CVE-2016-5085 is about the weak pairing between the pump and meter. Although there are some steps required before the pump can be used, the information is always the same so there is also no security here.
"Attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump," Radcliffe said. "This can be done without knowledge of how the key is generated. This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction."
The last vulnerability CVE-2016-5086 is about the lack of timestamps or sequence numbers during the interaction of pumps and meters. This opens the the pump to a high risk such as replay attacks.
With these flaws, users place themselves in high risk as overdosage can result to death.
Is Insulin Pumps Still Safe?
With the proper usage of insulin pumps, it is still very helpful and very safe for the patients to use the device created by Animas, the sub-company of Johnson & Johnson.
"If my child were diagnosed with diabetes today, I would have no problem putting them on an Animas pump," Radcliffe said. Also, he pointed out that Johnson & Johnson has handled the issues well, according to USA Today.