Johnson & Johnson Warns Insulin Pump Owners They Could Be Killed By Hackers
from the internet-of-broken-things dept
Initially the lack of security on "smart" Internet of Things devices was kind of funny as companies rushed to make a buck and put device security on the back burner. And while hackable tea kettles and refrigerators that leak your Gmail credentials just seem kind of stupid on the surface, people are slowly realizing that at scale -- we're introducing millions of new attack vectors into homes and businesses annually. Worse, compromised devices are now being used as part of massive new DDoS attacks like the one we recently saw launched against Brian Krebs.Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.
Another new case in point: Johnson and Johnson this week had to reach out to owners of the company's insulin pumps to warn them that the devices could be used to kill somebody by overdosing diabetic patients with insulin. According to researchers, the devices were launched with wireless connectivity in 2008 as a means of bringing added convenience for customers, but Johnson and Johnson failed to encrypt the device's wireless traffic:
"The Animas OneTouch Ping, which was launched in 2008, is sold with a wireless remote control that patients can use to order the pump to dose insulin so that they do not need access to the device itself, which is typically worn under clothing and can be awkward to reach. Jay Radcliffe, a diabetic and researcher with cyber security firm Rapid7 Inc, said he had identified ways for a hacker to spoof communications between the remote control and the OneTouch Ping insulin pump, potentially forcing it to deliver unauthorized insulin injections."As with pacemakers, an attacker needs to be relatively close to make this happen (25 feet), resulting in Johnson and Johnson insisting the overall risk was low:
"The probability of unauthorized access to the OneTouch Ping system is extremely low," the company said in letters sent on Monday to doctors and about 114,000 patients who use the device in the United States and Canada. "It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network."That's not really comforting. While this particular hack was publicized and fixed, there's a growing zero-day exploit market for medical device vulnerabilities that can be used to kill or injure an individual without detection, something that's going to be increasingly attractive to nation state actors and private contractors using the Internet of Things for globally malicious (and in some instances potentially fatal) activity. The rise in hackable medical devices has forced the FDA to issue formal guidance on how medical device makers should handle reports about cyber vulnerabilities.
In this case it appears that Johnson and Johnson was cooperative with Rapid7, but as we've noted previously, the lion's share of internet-of-broken-things companies tends to respond to researcher vulnerability reports with stone-cold silence.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: computer security, insulin pumps, iot, security
Companies: johnson & johnson
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
It brings up a more complex issue, specifically simple remote controls which have been made for years and likely have little or no real security on them. 10 years ago (when this insulin device was developed) it's very likely that nobody considered short range "hacks".
It's a good story - but it's not about IoT at all. Seems like just an excuse to bang the drum again.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
The same sort of mindset appears in both things, a rush to we can do this and next to no thought in what happens when you do that.
Adding new connectivity to anything without considering the bad ramifications is a stupid way to handle things. While you have to be within 25ft to spike the insulin pump, one could probably build a small device that just keeps sending out the codes as they walk around.
While the insulin pump wasn't directly connected to the IoT, there are heart monitors and other devices that are... and lacking even the most basic security.
There is/was a brand of medical monitor used in hospitals, and for some reason they stuck a user accessible USB port on the front and imagine that people kept plugging things in and some of them got hacked.
These aren't just cameras so you can watch your pet at home, these are medical devices that can harm users and no one has said we need even a minimum amount of security required by law. They think that somehow the free market will spend money on security rather than on the math equation of how much a settlement will be for the lawsuit.
I leave you with PornHub running on a fridge in Home Depot.
https://i.imgur.com/kBRpoZi.jpg
We can connect things to the internet... but why?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Walk into any crowd and you're surrounded by countless internet-connected Wi-Fi and Bluetooth transceivers. Software-defined radios - limited by software to a given function and frequency but able to do far more - are becoming common.
[ link to this | view in chronology ]
Re: Re:
Read the article closely - you need to be within a very small distance with a device that can emit the correct frequency and codes for that particular insulin pump.
There is no internet story here, except that you are reading the story online.
[ link to this | view in chronology ]
Re: Re:
Sorry to burst your IoT bubble.
[ link to this | view in chronology ]
Re: Re: Re:
/S
[ link to this | view in chronology ]
Re: Re: Re: Re:
There's already many commercially available models for professionals, radio amateurs and home use. With popular cell phones needing to handle a variety of protocols (GSM, CDMA, UMTS, CDMA 2000, LTE) and a variety of bands varying by carrier and country, what are the chances that some of them - and other devices - are already using SDRs?
[ link to this | view in chronology ]
Re: Re: Re:
...unless you have devices that connect to both the specified range and wifi, or the specified range and 3/4G or the specified range and a wired connection, etc. Even if such devices weren't commercially available, a determined person could certainly create one.
The risk is slim and abuse unlikely, but it's funny how in trying to explain away why there's no problem, you identify the exact places where the risk exists. It's probably a concern over nothing, but the risk exists and it's the same risk that exists with IoT devices, albeit on a much more localised scale.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Please pay attention Paul - it's a bi-directional communication. it doesn't matter how much you turn up the INCOMING power, the device replying has a range of a few feet. It's not in the wifi band, it's in a band just near cellular generally reserved for low power remote controls and similar devices.
The risk here as a general concept is very small. This is one of those "proof of concept" hacks, but one that is fairly hard to implement. You need to find a target with the right device (pretty rare), you need to get very, very close to them (less than 10 feet to have a chance, less than a couple of feet to get reasonable communication speed), figure out which of 16 channels they are on, establish communications, and then you have to trigger the burst of insulin, which the subject still has the potential to override on the unit they are wearing.
Someone who is very determined might be able to do something with such a hack, but it's not comparable to internet connected devices with poor or non-existent security.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
How does that invalidate what I said?
"It's not in the wifi band, it's in a band just near cellular generally reserved for low power remote controls and similar devices"
Indeed. So, continue reading and address the rest of the point.
"The risk here as a general concept is very small"
Exactly as I said above. But, just because a risk is small that does not mean it's not worth considering or comparable to situations with similar but higher risks. You do have a habit of repeating the things that someone else has said in the article or comments in a tone that tries to imply it's an original point.
It is pretty tiresome. You ignored part of my point, restated part of it and failed to address why you disagree with the rest of what you bothered to acknowledge. You've said a lot of words and, as usual, said absolutely nothing.
[ link to this | view in chronology ]
Statically speaking, Louisville Slugger should put out the same warning.
[ link to this | view in chronology ]
Re:
Smashing someone's head in tends to draw attention to the smasher, and leaves plenty of forensic evidence.
Kill someone remotely from 25 feet and you can be a long way away before it's even realised that the insulin pump didn't simply malfunction, but was manipulated.
[ link to this | view in chronology ]
Re: Re:
Assuming it can be determined the pump was manipulated. Which isn't a given.
Insulin pumps have two delivery modes:
So, all you realistically would need (in theory) would be line of sight, since the 25' limitation is a bluetooth spec limitation and not a hard and fast physical limitation, and to know what time the person typically goes to bed.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
First, however, you would have to find someone actually using one in public, with the "remote access" feature activated.
Is it possible? Sure. Likely? not really. It's not at all internet related, it's just a malfunction in the way the remote operates. It's not close to an IoT issue, as this is nearly a 10 year old design (long before IoT was even a thing).
[ link to this | view in chronology ]
Re:
A weapon is a state of mind, not an object. You can be beaten to death with the (trivially) detachable seatbelt on an airplane if you put your seatmate in a mind to do so.
An insulin pump is no different. It would, however, be damn near impossible to prove or identify after the fact. There's no such thing as "insulin poisoning", there's just "hypoglycemia, resulting in unconsciousness, followed by death" if not caught in time.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It seems to me that there is an acceptable approximation of a solution...
First off, create a portal through which researchers, hackers et al could officially notify companies of security flaws in their products. Give users blanket indemnity for the act of using it - can't sue/prosecute anyone for giving the notification or steps taken to discover the vulnerability that would not be illegal beyond legislation that makes those acts themselves illegal, kidnapping and torturing company executives would remain illegal but cracking a password would not -and make the time/date stamps on the notifications legal proof positive that the company was notified. Then give the company a short but reasonable period of a few weeks to fix/notify users of the issue and then make them legally liable, with an expedited trial process, for any and all subsequent losses, with multiple damages if the company cannot demonstrate reasonable effort to mitigate the problem.
Also, remove the corporate veil for boards and managers that allow/motivate their companies to ignore such problems.
[ link to this | view in chronology ]
Low risk? How low was the risk of a terabit DDoS attack when this IoT thing started?
[ link to this | view in chronology ]
Re:
Because different devices use both different frequencies and different communication protocols, a "kill" beacon approach just wouldn't work out. The device in question here can operate on one of 16 different channels, in the 902–928 MHz frequency range.
Moreover, you have these restrictions:
Operating Range Minimum 3.3 feet (1 meter) obstructed
Minimum 9.8 feet (3 meters) unobstructed
Communication Time Minimum 0.5 seconds (approximately)
Maximum 10.5 seconds (approximately)
Best case scenerio you need to be within three feet (arms length) for half a second, checking 16 different channels and negotiating whatever protocol might be required... worst case you are 9 feet away (less than 2 office cubicals) and the person needs to stay in that range for upwards to 10 seconds. Even the slowest of walkers would blow both of those scenarios away pretty quickly.
Moreover, how many people are walking around with these devices anyway? You might set a device up in central station in New York and only have a single person walk through the building in a day with one - or even one per week for all you know. It would only be a decent random attack if you were, say, hanging around a diabetic clinic or something similar. Otherwise, you would be wasting time.
Now devices that are internet connected, well, different story - but that is clearly NOT this story.
[ link to this | view in chronology ]
Re: Re:
Moreover, how many people are walking around with these devices anyway? You might set a device up in central station in New York and only have a single person walk through the building in a day with one - or even one per week for all you know. It would only be a decent random attack if you were, say, hanging around a diabetic clinic or something similar. Otherwise, you would be wasting time.
So? Twist things as much as you like, add technical statistics as much as you like, it doesn't change anything. Would you feel comfortable if you were wearing a device that could kill you if some determined "enemy" wanted without trace? It doesn't help the ones that use it and are targeted by somebody. Even if the 'casual' attacker scenario is unlikely, a targeted attack is very, very easy.
I saw you going out of your way to protect the company. Are you in their payroll or something?
[ link to this | view in chronology ]
Re: Re: Re:
Exactly, he seems to be ridiculing one scenario, but forgets the others. He's intent on addressing the idea of a random terrorist act, but forgets the possibility of it being used for a targeted assassination. As ever, he's able to grasp a small part of the point but misses what everyone else is actually talking about in his scramble to act superior.
What's funny is, in his attempts to wave away the idea that these thinks can be exploited in the wild, he's researched all the details needed to construct an attack.
"I saw you going out of your way to protect the company. Are you in their payroll or something?"
If anyone pays him to post here, they need a refund for the low quality work it produces.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So in this case, the range isn't an issue for an attacker.
Next, we move to opportunity. Well, since I've already noted that thousands of people have opportunity via range, we have to think about who has the necessary equipment to pull this off. I don't know what wavelength these remotes operate on, but my guess is that it's in the medical devices range, which just happens to be shared by some pretty ubiquitous technology, including cheap software defined radio equipment.
So then we've got motive: since we live in a world where SWATting is a thing, "for kicks" is a motive, with no specific target needed. State-actor attacks are also a possibility, as there's no way to trace the attacker with a device like this. So even if they have a log indicating that some remote device gave the command to boost insulin production, there's no way to identify the remote device used, after the fact.
So: you could have a person with a device like this just traveling a subway system. You could have a state actor set up the device somewhere that they know the target is going to be within 25' of at some point. Or, you can have someone remotely hack into a mobile device containing both internet access and an SDR, and program it to broadcast the signal 24/7, unknown to the device owner.
And what does this have to do with IoT? Well, it's not about how the technology can be abused so much as it's about the mindset behind developing tools in the first place -- communications security is not a priority, and sometimes not even discussed.
Unlike the banking industry, where a statistical model is used that optimizes the amount of security applied to protecting data (sometimes it's cheaper to suffer attack than to protect against it in the first place), in the medical field, a successful attack can result in individual death or suffering. This means that the security protection bar should be set orders of magnitude higher. And yet, it isn't. The same profit/loss model is used, when a model is used at all. THIS is the problem.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I have been in a power wheelchair for most of my life and am currently in the process of buying a new one. While going over options with the sales rep, he got all excited to tell me about this new feature where the chair's controller could interface with my PC via bluetooth and double up as a mouse!
I looked blankly at the guy and said, "Please tell me this is optional."
Thankfully it is... for now.
He was utterly baffled as to why I would not want the chair I'm 100% reliant on for mobility and independence to be connected to my PC. Why wouldn't I want the on board computer system that runs the chair talking to my desktop; and therefore, indirectly, the net? Gee, I can't think of any logical reason.
Additionally, he could tell me nothing about the security of the wireless connection - although nothing would make the risk worth it for me. As it is, I worry some components for this will still be present regardless of me not choosing this option.
I really fear the day this 'feature' is no longer optional.
Save us from the smart.
[ link to this | view in chronology ]
But we really, really really want our cybernetic revolt!
[ link to this | view in chronology ]
2006: Medtronic Introduces a wireless insulin pump called "Paradigm REAL-TIME."
2008: Johnson & Johnson release their own, similar device called "Animas Ping."
The Paradigm and Animas devices are each other's fiercest competitors.
2011: Jay Radcliffe exploits security vulnerabilities in the Paradigm device. He can KILL you REMOTELY. He gives a talk and demonstrates the exploit at Black Hat.
AT BLACK HAT.
The mainstream media ride this story into the ground in the cataclysmic fashion only the mainstream media can.
Meanwhile: Medtronic is suing Johnson & Johnson for patent infringement. The patents being infringed are for the Paradigm device. The device claimed to be infringing is the Animas device. Medtronic is literally accusing J&J of COPYING the thing. COPYING.
2016: Jay Radcliffe hacks the Animas device using a similar exploit. He can KILL you REMOTELY.
So....what this means is that in the 5 intervening years, nobody at J&J thought, "Hrm. Maybe we should check out the security of that device we make with the patents we stole from that other device that wasn't secure."
[ link to this | view in chronology ]
They probably did
[ link to this | view in chronology ]
2) take advantage of the increase demand for insulin
3) jack prices
4) incorporate backdoors into the insulin devices
5) ???
6) profit
[ link to this | view in chronology ]