Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Medicine Security Businesses Privacy Software News Hardware Technology

Johnson & Johnson Discloses That Its Insulin Pump Is Hackable (thestack.com) 79

An anonymous reader quotes a report from The Stack: Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients -- however, it declares that the risk of this happening is very low. Unnamed executives from the American multinational medical manufacturer said that they were taking the unprecedented step of warning customers about the vulnerability, particularly in light of recent controversies regarding attack vectors in cardiac equipment. In a letter to doctors and 114,000 patients, sent on Monday, the company wrote: "The probability of unauthorized access to the OneTouch Ping system is extremely low... It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network." Even though the company's own technicians were able to hack the pump within a distance of 25 feet, Johnson and Johnson's chief medical officer Brian Levy observed that the hack would be extremely difficult to pull off, and said "We believe the OneTouch Ping system is safe and reliable. We urge patients to stay on the product."
This discussion has been archived. No new comments can be posted.

Johnson & Johnson Discloses That Its Insulin Pump Is Hackable

Comments Filter:
  • by Anonymous Coward

    Now people will hack into these just to prove they can. How many have to die because of J&J being cheap and not fixing them?

    • by Mr D from 63 ( 3395377 ) on Tuesday October 04, 2016 @05:49PM (#53014237)
      Pretty much anything is hackable if you can get your hands on it. Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder. So if one is smart enough to do it they're probably smart enough to not even try.
      • by Fwipp ( 1473271 )

        Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder.

        I'm not sure that's true. I don't see anything in the article saying that it takes very long to carry out, and 25 feet is well within the range of "sitting nearby at a coffee shop."

        Additionally,

        it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.

        • by PCM2 ( 4486 )

          Yikes! I wonder if that's a line-of-sight thing or if you could just drop every diabetic in a 2km range ... you know, for plausible deniability.

          • Yikes! I wonder if that's a line-of-sight thing or if you could just drop every diabetic in a 2km range

            Only if every diabetic within range of your hacking device is using an insulin pump that your device can hack. Not all diabetics are on insulin, not all diabetics on insulin use insulin pumps, and not all diabetics using insulin pumps are all using the same model with similarly-hackable firmware.

            • by AmiMoJo ( 196126 )

              It's of more concern to organisations with diabetic VIPs. Governments, businesses, organized crime (but I repeat myself).

              I seem to recall that certain members of the US government have special medical devices with the radios disabled. Anyone who might be the target of assassination should be worried.

          • No. It's RF, so line of sight isn't required, but the article says the range is about 25 feet.

            In addition, you have to capture packets from the remote in order to get the pairing key in order to spoof commands to the pump. Every pump in the vicinity would have to have been paired with the same remote in order for one broadcast to affect them all.

        • Considering the proximty and time required for a successful hack, the hacker would stand a high risk of being caught and charged with murder or attempted murder.

          I'm not sure that's true. I don't see anything in the article saying that it takes very long to carry out, and 25 feet is well within the range of "sitting nearby at a coffee shop."

          Additionally,

          it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.

          Both those situations present a pretty good risk of getting caught. Only so many people in those areas at a given time would have the knowledge of the victim and the capability.

      • by c ( 8461 )

        Considering the proximty and time required for a successful hack

        "Time required" is dependent on how often the devices generate the packets you'd need to hack. Odds are if you park yourself in the middle of a food court or restaurant you'll find a few victims quite easily since pump users need to tweak settings when they sit down to eat.

        As far as proximity or someone being smart enough to do it... it doesn't sound like rocket science and I wouldn't bet against it. A laptop with a $10 RTL2832U/R820T2 dongle i

        • p>As far as proximity or someone being smart enough to do it... it doesn't sound like rocket science and I wouldn't bet against it. A laptop with a $10 RTL2832U/R820T2 dongle is enough to mess with 900MHz signals, so if someone comes up with a script then it's a good bet that a bored dipshit would find it funny to fire it up somewhere.

          Funny that type of thing never seems to happen in the real world. Its not like there aren't a lot of opportunities to pull off similar life threatening hacks already, be it cars, medical devices, medical devices. etc. Or even non life threatening ones. Yet I keep hearing this talk like there are these stereotypical bored computer geeks are roving the streets with hacking gear looking to pull off this type of thing.

          • ^and why is it always done in coffee shops?
          • by c ( 8461 )

            Funny that type of thing never seems to happen in the real world.

            That we know of.

            But no, I don't think it's happening much yet. Their wireless tech is still quite primitive. I don't think it's going to be a real problem until manufacturers start putting these things on the Internet and open them up to the same people turning IP cameras into botnets. They'll be adding smartphone integration first, of course (most of these devices upload data via USB currently), but inevitably they'll add wifi integration. If

            • If people are dying because of hacked devices, we'd be hearing about it.
              • by Bob_Who ( 926234 )

                If people are dying because of hacked devices, we'd be hearing about it.

                Maybe not....

                They hacked the hearing aids too..

              • by Aaden42 ( 198257 ) on Wednesday October 05, 2016 @08:19AM (#53016699) Homepage

                I wouldn't be so sure. Consider what evidence is left on a device that's been hacked remotely. (I don't know at all, just speculating of course.)

                What if a hacked command to send a lethal overdose looks exactly like the user pressing the buttons to deliver the same dose? Any legal risk minded investigation team is going to be falling over themselves to label that either an "accidental" overdose or perhaps even a suicide rather than let it go down as a security issue in their device that allowed someone to murder the user at a distance by twiddling some buttons. My (cynical) guess would be if the security of an embedded device is such that it can take unauthorized commands over the wire, odds are pretty good it's not going to successfully audit what happened in any meaningful way.

                If it happened en mass, sure. People would put it together, and we'd get a Made for Lifetime movie about the intrepid hero who wouldn't accept the party line and pushed through to discover the horrible truth... Or somesuch drek... But one or two, here & there? We've all seen the bit about automotive recalls at the beginning of that movie we don't talk about, right?

          • There are people doing that. They're called auditors. You have to be just good enough at security to keep them off your back. The whole point is to keep security ahead of the curve: effort required to secure * value of controlling resource > effort required to obtain * value of gained resource (inclusive of satisfying motivation) If we didn't do this ridiculous draconian thing security could really slip in general to a point we'll have trouble securing it, like transportation signaling equipment. Howev
          • by mwvdlee ( 775178 )

            That's because besides the need for some hardware, technical expertese and the right location, you'd also need a psychopathic murderer who can't think of an easier way to kill people.

      • ToF protection to make NFC truly NFC is still very rare, even though the silicon cost is negligible and it should have been part of the standard from day 1, most of the time a larger antenna is enough to increase distance.

      • by dbIII ( 701233 )
        A few years ago I talked to a guy from RSA who was making sure that a pacemaker with wireless controls was secured. He had to brush up on Z80 code to do it.
        Today there is no excuse since the hardware is far more capable.
      • That is nearly 8 meter. So you only need to be in proximity doing nothing reading a book while your conspicuously hidden laptop is doing the job, with scripts already prepared is trying. Then once the max dose of insuline is given you can simply safely go. Remember that the effect will not be *immediate* has if it was cyanide administered, the blood sugar will take a bit of time to be absorbed. So yeah. The risk of being charged is actually much lower than you think it is. If nobody catch you red handed wit
        • Only you forgot most public areas have video cameras. You'd be surprise how quickly a suspect list can be narrowed down.
      • Proximity required? Like, say, in a school cafeteria where some geek prankster who doesn't even know what damage he might do could give it a try?

        Kids don't give a shit about consequences. But fortunately, kids being killed by improper medial equipment cause enough of a stir to get things done. I guess some minor will have to croak so we see something being done, but hey, at least it's not going to kill someone whose education already costed an arm and a leg. From an economic point of view, better some snott

    • Actually, the effort required to do this hack is quite high and the risks to the patient is quite low from this hack.

      An overdoes of insulin is indeed dangerous and can cause death if left untreated for an extended time, but diagnosis is easy (a finger prick blood glucose test) and treatment is easier (Drink some juice or a sugared soda).

      So with the extremely high technical requirements to perform the hack from a distance, especially without the victim knowing and the ease of diagnosis and treatment from t

      • Speaking as an insulin-dependent diabetic (I've never been on a pump and don't expect to be in the future.) I can tell you that you're only looking at one side of the coin. The other side is hacking the pump to deliver less insulin than needed, causing the victim to go into a coma caused by high blood sugar. In that case, the proper treatment is insulin, and if the patient is awake and coherent, lots and lots of water to drink so that the kidneys can do their part in flushing it out of the system.
      • Actually, the effort required to do this hack is quite high and the risks to the patient is quite low from this hack.

        ....

        I'm with J&J, It's just NOT worth the replacement risks.... General Anesthesia has significant risks, much more than somebody hacking your insulin pump on the subway.

        I am with JJ but this does not require surgery to replace.
        It is external and connects to the body with an infusion set with standard Luer connector.

        I can see a software update to the paired system.
        Two devices a blood glucose meter and the infuser.

      • by c ( 8461 )

        Actually, the effort required to do this hack is quite high...

        Not it isn't.

        Actually, I don't know for sure either way, but you have to be a fool to bet that it is. History has shown very consistently that security holes in any given product are always easier to exploit than the vendor will admit to, and they become less and less difficult as time passes without a proper fix.

        Off hand, from the attack demo video the guy is running it off a Pi with a USB RF dongle... probably an obvious application of RTL-SDR.

    • Now Now, Johnson and Johnson's chief medical officer Brian Levy seems very confidant the devices are safe.
      With that in mind maybe he could have one installed in HIM. Bonus points if he walks into a Defcon wearing a name badge.
      A majority of board members joining him would show the company is truly committed to the product...
      I would imagine a few of the biggest investors would also want in on the action, just to bolster stock prices.
      </delusion>
    • Now people will hack into these just to prove they can.
      How many have to die because of J&J being cheap and not fixing them?

      So these pumps are where? Google google google.
      Cool it is outside the body and connected by a simple Infusion set with standard Luer connector.
      That makes it easy to replace.

      All these bluetooth family of short distance devices are a risk...
      time will tell what JJ does.

    • While the problem does need to be fixed, it's highly unlikely that anyone will die due to a random hacker messing with their device.

      Despite the Hollywood movie stereotype of evil hackers who unleash chaos and destruction on the world, the truth is that most hackers are just curious about how things work and have no desire to cause damage, much less kill people. The closest thing that exists to the stereotype are the hackers who are trying to make a profit without regard to the cost to others, but there's n

  • If both were to come to a bad end, there would be massive rejoicing...

  • Although it is unlikely that a hack will occur, hopefully J&J will look at security more thoroughly in the future. Obviously a person dying due to a faulty, or hacked insulin pump is less expensive than a recall and firmware update.

    Maybe they could just post equipment in major cities that hack the new firmware onto the pumps! No recall, and probability of a hack goes down even further. What on earth could possibly go wrong?!

    At least the quotes don't sound like they were written by a progressive, brand

  • “The probability of unauthorized access to the OneTouch Ping system is extremely low It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”

    • - technical expertise - yes
    • - sophisticated equipment - a $15 dongle to do SDR
    • - proximity to the pump - come within 20 feet of of the pump and you can hack it. anything internet connected that can communicate at 900 MHz could potentially hack the device

    if someone was targeting you (especially a nation-state) and wanted to kill you, this would be a great way of doing it.

    • by amiga3D ( 567632 )

      My wife's Medtronic Insulin pump requires actually pushing an acknowledgment button before it will deliver insulin.

      • that's nice but when it's hacked to deliver the wrong amount?

        • Re:yes, no and kinda (Score:4, Informative)

          by amiga3D ( 567632 ) on Tuesday October 04, 2016 @08:51PM (#53014997)

          Well, it gets the reading remotely from the blood glucose meter and calculates the dose. It then displays the amount of insulin for the bolus delivery. You look at it and generally, if you've been using a pump or doing injections you know about what range you usually end up taking. If it's off a lot it should be obvious as long as you're actually alert. When it comes to things like that being observant is important.

          • Well, it gets the reading remotely from the blood glucose meter and calculates the dose. It then displays the amount of insulin for the bolus delivery. You look at it and generally, if you've been using a pump or doing injections you know about what range you usually end up taking. If it's off a lot it should be obvious as long as you're actually alert. When it comes to things like that being observant is important.

            Using the bolus wizard is one path through the menus but is not the only one. If you have remotely connected to the pump you can tell it to deliver without requiring the user to press any buttons. Medtronic have turned off some of the remote ability with the firmware in their later pumps, unfortunately that has also denied access to projects such as OpenAPS. I would like to see some ability to pair known devices together rather than cutting off all access completely.

            • by amiga3D ( 567632 )

              I know my wife doesn't use the remote. She has one but it's just too easy to pull the pump up, look at it and okay the dose. The remote adds complexity and of course while hacking would not be that easy it could be done.

      • by c ( 8461 )

        My wife's Medtronic Insulin pump requires actually pushing an acknowledgment button before it will deliver insulin.

        My wife just switched to an OmniPod, which doesn't have a UI of any sort on the pump unit itself. The controller commnunicates with the pump using what I believe is 433MHz FSK coding, and quite frankly I'm a terrified to start playing with a 433MHz capture board within range of her because I have a bad feeling about what I'll find...

        That main thing that prevents a bolus overdose attack is that

  • I'm pretty sure most readers here will agree medical devices in critical applications need to be regulated and tested to a high degree. But the system was never designed around devices with internet connectivity and other communication technology. There isn't even a realistic way to upgrade the security or install patches on these devices without repeating the entire certification process in most cases. The medical community needs to update thier security in some sane and reasonable way. I mean they wer
    • The pump shouldn't be connected to the internet... It doesn't need to be. It probably doesn't even need Bluetooth, but probably has some sort of remote diagnostic ability so it can dump log files.... But this whole thing is moot anyway. Didn't the FDA just approve a closed-loop artificial pancreas? It looks like a good time to upgrade, and feel better!
      • by cdrudge ( 68377 )

        Didn't the FDA just approve a closed-loop artificial pancreas?

        Yes, although calling it an artificial pancreas is a lot like calling an iron lung an artificial lung. The device works in conjunction with an insulin pump and continuous glucose monitor, sampling every 5 minutes glucose levels and dosing insulin in response. It's a hybrid system though that only handles basal insulin while bolus insulin from meals needs to be manually specified, as well as periods of exercising.

        The FDA specifically worked with

    • by havana9 ( 101033 )
      The pump uses a proprietary protocol on 900 MHz ISM band. It is nor Bluetooth neither uses TCP/IP. So to interfere with the device one has to be in the proximity and having a system to send fake commands: it's a lot like the problems one could have with garage door openers rather than the ones with IoT things. Luckily J&J didn't followed the easy route, mabye because the pumps has to run on a small 8 bit microcontroller and adding a TCP/IP stack was unfeasible.
    • by AmiMoJo ( 196126 )

      Can someone explain why it even has a radio communication system? Why not just have a USB port for reprogramming?

      I appreciate that wireless is convenient, but it's also a huge attack surface, and it appears that if there was any authentication at all then it's extremely weak.

  • Interesting approach to the problem:

    On one hand they are fulfilling their duty of care by disclosing this information to the public so they can make an informed decision; and

    On the other hand they are protecting their shareholders by suggesting that the devices are safe and people can continue to use them.

    It's a sad thing when the profit motive is put ahead of patient safety, however I suspect we will see a lot more of this as the 'Internet of Things' and 'eHealth' agendas collide on the desk of medical

  • by Anonymous Coward

    I'd like to point out, and this is refreshing, that because Johnson and Johnson disclosed this themselves, with some details, that the discussion on here is the right one. People are discussing severity, risk and impact.

  • Then the risk is not "extremely low". If it where that, they would just sweep their incompetence under the carpet...

You know you've landed gear-up when it takes full power to taxi.

Working...