Insulin Pump Vulnerability Lets Attackers Remotely Administer Dose

A security firm found a flaw in a brand of insulin pump systems that could allow a hacker to remotely administer a dose of insulin.

Diabetics use insulin pumps to self-administer insulin and regulate blood sugar. The Animas OneTouch Ping systems include a meter that checks blood sugar and controls the pump through wireless communications.

Security firm Rapid7 found the communications aren’t encrypted and someone could spoof the signal, allowing them to eavesdrop on the information or send a dose of insulin to the wearer. Rapid7 said an attacker could execute the attack within two kilometers of the device, and a U.S. Computer Emergency Readiness Team alert said the attacker would need a high-skill level.

“We want to flag that we believe the risk of wide-scale exploitation of these insulin pump vulnerabilities is relatively low, and we don’t believe this is cause for panic,” a Rapid7 blog post said.

Animas, a subsidiary of Johnson & Johnson, issued a statement advising worried users to turn off the radio frequency feature, which stops all communication with the meter. Alternately, users who want to keep using the meter could set dosage limits and turn on vibrating alerts so they know doses have been administered.