Johnson & Johnson warns its insulin pump could be hacked to potentially cause an overdose

Pharmaceutical firm Johnson & Johnson has warned diabetic patients that a security vulnerability discovered in one of its insulin pumps could be exploited by hackers and cause a potentially fatal overdose. The health care giant issued a warning on Tuesday (4 October) about a possible cybersecurity issue in its Animas OneTouch Ping insulin pump after researchers at security firm Rapid 7 discovered the vulnerabilities.

Launched in 2008, the Animas OneTouch Ping pump allows diabetic patients to give themselves a dose of insulin using a Wi-Fi remote control that wirelessly communicates with the insulin pump from up to 10 feet away using an unencrypted radio frequency communication system.

The company said there have been no reported attacks and described the risk as "extremely low."

"It would require technical expertise, sophisticated equipment and proximity to the pump, as the OneTouch Ping system is not connected to the internet or to any external network," the company wrote in a letter, obtained by Reuters, mailed to 114,000 customers throughout US and Canada, as well as doctors who may prescribe the device. "In addition, the system has multiple safeguards to protect its integrity and prevent unauthorized action."

Jay Radcliff, a diabetic and researcher at Rapid7, said he discovered the vulnerabilities back in April and disclosed them in a blog post published on 28 September. He found that hackers could potentially hijack communications between the pump and its radio frequency remote from up to 25 feet away, allowing a malicious intruder to potentially administer unauthorised additional doses of the diabetes drug.

"The OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol," the firm wrote. "Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections."

Johnson & Johnson said they confirmed Radcliffe's report, but maintained that the pump is still "safe and reliable." The company said patients worried about the risks could take additional precautions such as turning off the pump's radio frequency feature or limiting the amount of insulin delivered.

The latest announcement comes amid rising concerns surrounding the risk of medical device hacks, given the rise in automation and the Internet of Things that offer more connected solutions that are often more vulnerable to cyberattacks.

In February, a senior researcher at security firm Kaspersky Lab demonstrated how he could easily hack into a hospital's critical network, with permission, and access an MRI device.

The US Food and Drug Administration has also encouraged medical device manufacturers to work closely with security researchers to mitigate risks of cyberattacks and provide patients with vital information about device bugs to allow them to "make informed decisions" regarding the products.

"As these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically," Radcliff wrote. "This research highlights why it is so important to wait for vendors, regulators and researchers to fully work on these highly complex devices. This is not something to be rushed into as there is a patient's life on the line."