October 10, 2016 by

Johnson & Johnson Issues Warning of Insulin Pump Cyber Exploit

Medical device manufacturer Johnson & Johnson is warning patients about a cybersecurity bug that could lead to a potential exploit in one of its insulin pumps. If compromised, a hacker could trigger an overdose of insulin for diabetic patients.

For the first time ever, a medical device manufacturer has issued a warning to patients about a cybersecurity vulnerability in one of its devices, the Johnson & Johnson Animas OneTouch Ping insulin pump. The device is attached to patients’ bodies, injecting insulin through catheters.

While Johnson & Johnson executives tell Reuters that there were no examples of any attempted attacks on the device, the company is pressing ahead with its warning to customers, while suggesting a fix.

In letters obtained by Reuters, the company reached out to 114,000 patients in United States and Canada who use the device. The company also communicated the same to doctors in the two countries, stating that the “probability of unauthorized access to the OneTouch Ping system is extremely low.”

The letter added:

It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network.

Meanwhile, the FDA has declined to comment on Johnson & Johnson’s handling of the vulnerability discovered in its insulin pump.

The device, when sold, is accompanied with a wireless remote control that patients can use to order the pump to inject insulin.

Jay Radcliffe, A diabetic and researcher with cybersecurity firm Rapid7 Inc, revealed that he had identified ways in which a hacker could spoof communications between the remote control and the OneTouch Ping insulin pump.

Johnson & Johnson company technicians have since worked with Radcliffe on the security issues. Furthermore, they were able to replicate Radcliffe’s findings, adding that a hacker could order the pump to inject insulin with a vicinity of up to 25 feet.

For now, the company has urged concerned patients to take the necessary steps detailed in the letter, to avoid any potential cyberattacks.

Radcliffe said:

They can give peace of mind to the patient or parent of a child using the device.

 Image credit: Flickr.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.