The Animas OneTouch Ping insulin pump contains vulnerabilities that could be exploited by a malicious attacker to remotely trigger an insulin injection.
Security researcher Jay Radcliffe – who is himself a Type I diabetic – discovered the flaws and wrote about his findings.
What Radcliffe discovered was that there were security weaknesses in how the medical device communicated wirelessly. Specifically, a lack of encryption meant that instructions were being sent in cleartext. Combined with weak pairing between the remote and pump, this could open opportunities for remote attackers to spoof the controller and trigger unauthorized insulin injections.
If the user does not cancel the insulin delivery on the pump, there is the potential for an attacker to cause harm and potentially create a hypoglycemic reaction.
Although the risk of widespread exploitation of the flaws is considered relatively low, and no-one should panic, Animas’s parent company Johnson & Johnson has issued an advisory to users of the insulin infusion pump: