Animas OneTouch Ping insulin pump contains multiple vulnerabilities
Original Release date: 04 Oct 2016 | Last revised: 11 Oct 2016
The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device.
The attacker cannot obtain personally identifiable information.
CWE-319: Cleartext Transmission of Sensitive Information – CVE-2016-5084
The Animas OneTouch insulin pump transmits patient treatment data and device data such as encryption passwords over the network in cleartext.
An unauthenticated remote attacker may be able to sniff all associated wireless transmissions from the device.According to Johnson and Johnson, parent company of Animas:
“Information between the pump and meter is unencrypted, which could allow a malicious actor to capture patient treatment data, however this data does not include personally identifiable information.”
CWE-330: Use of Insufficiently Random Values – CVE-2016-5085The Animas OneTouch insulin pump uses a CRC32 checksum as if it were an encryption key.
This value then does not change between authentication handshakes between the same device and remote station.
According to Animas and Rapid7, “A malicious actor may be able to listen to communication between the pump and meter remote and obtain the necessary information to spoof being the meter remote.”CWE-294: Authentication Bypass by Capture-replay – CVE-2016-5086The Animas OneTouch insulin pump uses a custom communication protocol that does not provide sufficient protections to guard against capture-replay attacks.
According to Animas and Rapid7, “Once a malicious actor has spoofed being the meter remote, he/she could learn commands a patient initiate from the meter remote to the pump and attempt to replay them from a device other than the meter remote to the pump. Please refer to the mitigation section [see Resolution below] for details on controls in place to reduce this risk.”CWE-290: Authentication Bypass by Spoofing – CVE-2016-5686The Animas OneTouch insulin pump uses a custom communications protocol that does not provide sufficient protections to guard against spoofed responses. Reportedly, it may be possible for an unauthenticated remote attacker to spoof acknowledgement packets to perform actions or commands on the device, or cause a remote to believe an acknowledgement was received after performing a command.
An unauthenticated remote attacker may be able to sniff patient treatment or device data from communications, or execute commands on the device and/or remote, or prevent actions from occurring by spoofing acknowledgement packets.
The attacker cannot obtain personally identifying information.
Johnson and Johnson has provided the following statement:
“There are no plans to release a firmware update, however a notification is being sent to patients and HealthCare Professionals.
In addition, there are a number of documented and proprietary mitigating controls in place to ensure the safe delivery of insulin, outlined below.i.
If patients are concerned about unauthorized access for any reason, the pump’s radio frequency feature can be turned off, which is explained in Chapter 2 of Section III of the OneTouch® Ping® Owner’s Booklet. However, turning off this feature means that the pump and meter will no longer communicate and blood glucose readings will need to be entered manually on the pump.ii.
If patients choose to use the meter remote feature, another option for protection is to program the OneTouch® Ping® pump to limit the amount of bolus insulin that can be delivered.
Bolus deliveries can be limited through a number of customizable settings (maximum bolus amount, 2-hour amount, and total daily dose).
Any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery.
For more information, please see Chapter 10 of Section I of the OneTouch® Ping® Owner’s Booklet.iii.
The company also suggests turning on the Vibrating Alert feature of the OneTouch® Ping® System, as described in Chapter 4 of Section I.
This notifies the user that a bolus dose is being initiated by the meter remote, which gives the patient the option of canceling the bolus.iv.
The bolus delivery alert and the customizable limits on bolus insulin can only be enabled on the pump and cannot be altered by the meter remote.
This is also true of basal insulin. Patients can also be reminded that any insulin delivery and the source of the delivery (pump or meter remote) are recorded in the pump history, so patients can review the bolus dosing.”
Vendor Information (Learn More)
Johnson & Johnson
09 May 2016
04 Oct 2016
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability.
This document was written by Garret Wassermann.
If you have feedback, comments, or additional information about this vulnerability, please send us email.