Johnson & Johnson warns that its insulin pump can be hacked

Hackers

Johnson & Johnson has contacted hospitals and patients after the company discovered a potentially fatal security vulnerability in one of their insulin pumps.

The pharmaceutical and manufacturing giant delivered a letter to users of the pump, a copy of which Reuters received.

Almost 114,000 patients use the device in the United States and Canada.

Johnson & Johnson discovered that a hacker could potentially manipulate the amount of insulin a patient receives, which could lead to dangerously lowered blood sugar, or life-threatening hypoglycemia.

The vulnerability affects the Animas OneTouch Ping insulin pump, which was launched in 2008. This model is sold with a wireless control allowing patients to remotely operate the pump when insulin is needed.

Speaking to Reuters, Rapid 7 researcher Jay Radcliffe explained he had identified a way for a hacker to manipulate the communications between the remote control and pump, in order to give a higher than normal dose of insulin.

Radcliffe, who is a diabetic, explained to Reuters that the lack of encryption on these communications is the cause of this vulnerability.

In the letter released today, Johnson & Johnson outlined several steps patients can take to prevent potential attacks.

The company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Despite the possible security flaw, Johnson & Johnson believes the device is safe and is urging customers to keep using the product.

As the pump is not connected to the internet and operates with a maximum reach, the company believes a hack would be unlikely.

Its letter stated that: "The probability of unauthorized access to the OneTouch Ping system is extremely low. It would require technical expertise, sophisticated equipment and proximity to the pump..."

So far the Johnson & Johnson Animas OneTouch Ping is the only model identified as having a security flaw.

A Johnson & Johnson spokesperson said: "We are not issuing a recall as we are confident that the Animas OneTouch Ping insulin delivery system is safe and reliable for use. Animas has contacted patients and health care providers about this issue to assure them that the probability of unauthorized access to the One Touch Ping System is extremely low, as it would require technical expertise, sophisticated equipment and proximity to the pump.

"We have also informed patients and health care providers how to enable various pump features for advanced protection should they be concerned."

This article was updated on 5 October to include Johnson & Johnson's statement.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.