News

Medical company warns customers about vulnerability in insulin pump

By admin
Spread the love

US company Johnson & Johnson, which supplies pharmaceutical and medical products, has warned customers about a vulnerability in an insulin pump. This can cause an overdose of insulin to be delivered, resulting in the death of a user.

The company has informed its customers in a letter. The vulnerability was discovered in April by a researcher from the security company Rapid7. The investigator released details of the leak on Tuesday. It concerns the Animas OneTouch Ping insulin pump, which according to Reuters came on the market in 2008. It uses a wireless remote control that allows users to self-administer insulin. The researcher found that the signal to the pump can be spoofed, which could allow an attacker to overdose. Both Johnson & Johnson and the researcher estimate the risk of the vulnerability as ‘low’. Reuters claims based on ‘medical experts’ that this is the first time a medical company has issued such a warning. However, it is not the first time that a vulnerability in an insulin pump has been identified, in 2011 this was the case with Medtronic devices.

In fact, the vulnerability consists of three different vulnerabilities, with attributes cve-2016-5084, cve-2016-5085 and cve-2016-5086. The first vulnerability lies in the fact that data traffic between the pump and the remote control is sent unencrypted via radio signals. A third party can therefore collect this data. The second leak concerns the pairing process between the pump and the remote control. A key is created, so that the pump cannot receive signals from other remote controls. This key is also sent unencrypted, so that it can also be intercepted, writes the Rapid7 researcher who is a diabetic himself.

The last vulnerability has to do with the fact that there is no protection against a so-called replay attack. In doing so, an attacker could catch and re-send a command sent to the pump. This is possible because the commands sent do not have incremental IDs or other unique properties. The researcher writes that an attack can be carried out at a distance of up to two kilometers by amplifying the radio signal. Normally, the remote control works up to about ten meters.

Johnson & Johnson advises its customers in the letter to disable the pump’s radio function if they are concerned about the vulnerabilities. They could also set a limit on the insulin dose. The risk of an attack would be low, as an attacker would need to have “technical knowledge and advanced equipment” and be close to the pump. The pump is also not connected to the internet. The researcher himself states that the best solution is to use encryption to secure the connection between pump and remote control.

You might also like
News

Netflix is ​​also discontinuing the Basic subscription in the US and UK

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Telegram has over 800 million active users and is not yet profitable