Insulin Pump Vulnerabilities
Friday, October 7, 2016 @ 02:10 PM gHale
Animas will not release a patch or new version to mitigate vulnerabilities in the security of its OneTouch Ping insulin pump system, but the company did provide compensating controls to help reduce the risk associated with any potential exploitation, according to a report with ICS-CERT.
These compensating controls, however, could have an impact on the functionality of the device.
These vulnerabilities, discovered by Rapid7, are remotely exploitable via radio frequency communications.
Detailed vulnerability information is publicly available and could end up used to develop an exploit that targets these vulnerabilities.
Animas OneTouch Ping insulin pump system, all versions suffer from the issue.
Successful exploitation of these vulnerabilities may allow an attacker to spoof radio frequency communications between the meter remote and the pump to issue unauthorized commands or replay captured communications to control the pump, to include administering insulin. The impact associated with the successful exploitation of these vulnerabilities could have a direct impact on patient safety.
Animas is a subsidiary of Johnson & Johnson and is a U.S.-based company that maintains offices in several countries around the world.
The affected product, the OneTouch Ping insulin pump system, is a two-part system consisting of a meter remote that uses radio frequency communication to wirelessly communicate to the pump to deliver insulin.
The OneTouch Ping insulin pump system sees use across the healthcare and public health sector. Animas said this product mainly sees use in the U.S. and Canada.
All communications between the meter remote unit and the pump end up transmitted in cleartext.
CVE-2016-5084 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
In addition, the setup of the Animas OneTouch Ping insulin pump system involves a pairing process during which a checksum ends up generated, which is then used as an encryption key during communications. This value does not change between authentication handshakes between the meter remote unit and the pump.
CVE-2016-5085 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.
In another instance, an attacker could capture remote transmissions between the meter remote unit and the pump and replay them to initiate unauthorized commands, to include administering insulin.
CVE-2016-5086 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.4.
Detailed vulnerability information is publicly available that could end up used to develop an exploit that targets these vulnerabilities.
An attacker with high skill would be able to exploit these vulnerabilities.
Animas does not plan to release a firmware update to address the identified vulnerabilities. Animas said customer notifications are going out to patients and HealthCare professionals, which is available on Animas’ web site.
Animas has provided the following compensating controls to help reduce the risk associated with the exploitation of the identified vulnerabilities:
— The pump’s radio frequency feature can be turned off, which is explained in Chapter 2 of Section III of the OneTouch Ping Owner’s Booklet. However, turning off this feature means that the pump and meter remote will no longer communicate and blood glucose readings will need to be entered manually on the pump.
— If patients choose to use the meter remote feature, another option for protection is to program the OneTouch Ping pump to limit the amount of bolus insulin that can be delivered. Bolus deliveries can be limited through a number of customizable settings (maximum bolus amount, 2-hour amount, and total daily dose). Any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery. For more information, please see Chapter 10 of Section I of the OneTouch Ping Owner’s Booklet.
— Animas also suggests turning on the Vibrating Alert feature of the OneTouch Ping system, as described in Chapter 4 of Section I. This notifies the user that a bolus dose is being initiated by the meter remote, which gives the patient the option of canceling the bolus.
— The bolus delivery alert and the customizable limits on bolus insulin can only be enabled on the pump and cannot be altered by the meter remote. This is also true of basal insulin. Patients can also be reminded that any insulin delivery and the source of the delivery (pump or meter remote) are recorded in the pump history, so your patients can review the bolus dosing.
For additional information about the vulnerabilities or the compensating controls, users can email the Animas Customer Technical Support.