Johnson & Johnson warns that its insulin pump can be hacked

But company says the pump isn't web-connected, so can still be used

Hackers

Johnson & Johnson has contacted hospitals and patients after the company discovered a potentially fatal security vulnerability in one of their insulin pumps.

The pharmaceutical and manufacturing giant delivered a letter to users of the pump, a copy of which Reuters received.

Almost 114,000 patients use the device in the United States and Canada.

Johnson & Johnson discovered that a hacker could potentially manipulate the amount of insulin a patient receives, which could lead to dangerously lowered blood sugar, or life-threatening hypoglycemia.

The vulnerability affects the Animas OneTouch Ping insulin pump, which was launched in 2008. This model is sold with a wireless control allowing patients to remotely operate the pump when insulin is needed.

Speaking to Reuters, Rapid 7 researcher Jay Radcliffe explained he had identified a way for a hacker to manipulate the communications between the remote control and pump, in order to give a higher than normal dose of insulin.

Radcliffe, who is a diabetic, explained to Reuters that the lack of encryption on these communications is the cause of this vulnerability.

In the letter released today, Johnson & Johnson outlined several steps patients can take to prevent potential attacks.

The company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Despite the possible security flaw, Johnson & Johnson believes the device is safe and is urging customers to keep using the product.

As the pump is not connected to the internet and operates with a maximum reach, the company believes a hack would be unlikely.

Its letter stated that: "The probability of unauthorized access to the OneTouch Ping system is extremely low. It would require technical expertise, sophisticated equipment and proximity to the pump..."

So far the Johnson & Johnson Animas OneTouch Ping is the only model identified as having a security flaw.

A Johnson & Johnson spokesperson said: "We are not issuing a recall as we are confident that the Animas OneTouch Ping insulin delivery system is safe and reliable for use. Animas has contacted patients and health care providers about this issue to assure them that the probability of unauthorized access to the One Touch Ping System is extremely low, as it would require technical expertise, sophisticated equipment and proximity to the pump.

"We have also informed patients and health care providers how to enable various pump features for advanced protection should they be concerned."

This article was updated on 5 October to include Johnson & Johnson's statement.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021