Johnson & Johnson warns that its insulin pump can be hacked

But company says the pump isn't web-connected, so can still be used


Johnson & Johnson has contacted hospitals and patients after the company discovered a potentially fatal security vulnerability in one of their insulin pumps.

The pharmaceutical and manufacturing giant delivered a letter to users of the pump, a copy of which Reuters received.

Almost 114,000 patients use the device in the United States and Canada.

Advertisement - Article continues below

Johnson & Johnson discovered that a hacker could potentially manipulate the amount of insulin a patient receives, which could lead to dangerously lowered blood sugar, or life-threatening hypoglycemia.

The vulnerability affects the Animas OneTouch Ping insulin pump, which was launched in 2008. This model is sold with a wireless control allowing patients to remotely operate the pump when insulin is needed.

Speaking to Reuters, Rapid 7 researcher Jay Radcliffe explained he had identified a way for a hacker to manipulate the communications between the remote control and pump, in order to give a higher than normal dose of insulin.

Radcliffe, who is a diabetic, explained to Reuters that the lack of encryption on these communications is the cause of this vulnerability.

In the letter released today, Johnson & Johnson outlined several steps patients can take to prevent potential attacks.

The company recommended that customers should either stop using the remote control device or reprogram the pump manually to limit insulin dosage.

Advertisement - Article continues below
Advertisement - Article continues below

Despite the possible security flaw, Johnson & Johnson believes the device is safe and is urging customers to keep using the product.

As the pump is not connected to the internet and operates with a maximum reach, the company believes a hack would be unlikely.

Its letter stated that: "The probability of unauthorized access to the OneTouch Ping system is extremely low. It would require technical expertise, sophisticated equipment and proximity to the pump..."

So far the Johnson & Johnson Animas OneTouch Ping is the only model identified as having a security flaw.

A Johnson & Johnson spokesperson said: "We are not issuing a recall as we are confident that the Animas OneTouch Ping insulin delivery system is safe and reliable for use. Animas has contacted patients and health care providers about this issue to assure them that the probability of unauthorized access to the One Touch Ping System is extremely low, as it would require technical expertise, sophisticated equipment and proximity to the pump.

"We have also informed patients and health care providers how to enable various pump features for advanced protection should they be concerned."

This article was updated on 5 October to include Johnson & Johnson's statement.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Careers & training

IBM job ad calls for 12-years of experience with six-year-old Kubernetes

13 Jul 2020
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020