Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers
from the internet-of-broken-things dept
Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.
Another new case in point: Johnson and Johnson this week had to reach out to owners of the company's insulin pumps to warn them that the devices could be used to kill somebody by overdosing diabetic patients with insulin. According to researchers, the devices were launched with wireless connectivity in 2008 as a means of bringing added convenience for customers, but Johnson and Johnson failed to encrypt the device's wireless traffic:
"The Animas OneTouch Ping, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and can be awkward to reach. Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7 Inc, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections."As with pacemakers, an attacker needs to be relatively close to make this happen (25 feet), resulting in Johnson and Johnson insisting the overall risk was low:
"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent on Monday to doctors and about 114,000 patients who use the device in the United States and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."That's not really comforting. While this particular hack was publicized and fixed, there's a growing zero-day exploit market for medical device vulnerabilities that can be used to kill or injure an individual without detection, something that's going to be increasingly attractive to nation state actors and private contractors using the Internet of Things for globally malicious (and in some instances potentially fatal) activity. The rise in hackable medical devices has forced the FDA to issue formal guidance on how medical device makers should handle reports about cyber vulnerabilities.
In this case it appears that Johnson and Johnson was cooperative with Rapid7, but as we've noted previously, the lion's share of internet-of-broken-things companies tends to respond to researcher vulnerability reports with stone-cold silence.