Johnson & Johnson issues cyber hack warning for insulin pumps

After a security researcher found that the unencrypted devices could be forced to deliver unauthorized insulin doses, J&J sent patients a letter but also said the probability of such an attack is low. 
By Jeff Rowe
01:48 PM
Share
Johnson & Johnson cyber hack

Officials at Johnson & Johnson sent out a letter warning users about the potential for a hacker to program the company’s Animas OneTouch Ping insulin pump to deliver a fatal dose of the hormone to a user.

Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections, according to a Reuters report.

The system is vulnerable because those communications are not encrypted, or scrambled, to prevent hackers from gaining access to the device, said Radcliffe, who reported vulnerabilities in the pump to J&J in April and published them this week on the Rapid7 blog.

According to Brian Levy, chief medical officer with J&J's diabetes unit, company technicians were able to replicate Radcliffe's findings, confirming that a hacker could order the pump to dose insulin from a distance of up to 25 feet. He added that such attacks are difficult to pull off because they require specialized technical expertise and sophisticated equipment.

"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent to doctors and roughly 114,000 patients in the U.S. and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.”