search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Animas OneTouch Ping insulin pump contains multiple vulnerabilities

Vulnerability Note VU#884840

Original Release Date: 2016-10-04 | Last Revised: 2016-10-11

Overview

The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device. The attacker cannot obtain personally identifiable information.

Description

CWE-319: Cleartext Transmission of Sensitive Information - CVE-2016-5084

The Animas OneTouch insulin pump transmits patient treatment data and device data such as encryption passwords over the network in cleartext. An unauthenticated remote attacker may be able to sniff all associated wireless transmissions from the device.

According to Johnson and Johnson, parent company of Animas:

"Information between the pump and meter is unencrypted, which could allow a malicious actor to capture patient treatment data, however this data does not include personally identifiable information."

CWE-330: Use of Insufficiently Random Values - CVE-2016-5085

The Animas OneTouch insulin pump uses a CRC32 checksum as if it were an encryption key. This value then does not change between authentication handshakes between the same device and remote station. According to Animas and Rapid7, "A malicious actor may be able to listen to communication between the pump and meter remote and obtain the necessary information to spoof being the meter remote."

CWE-294: Authentication Bypass by Capture-replay - CVE-2016-5086

The Animas OneTouch insulin pump uses a custom communication protocol that does not provide sufficient protections to guard against capture-replay attacks. According to Animas and Rapid7, "Once a malicious actor has spoofed being the meter remote, he/she could learn commands a patient initiate from the meter remote to the pump and attempt to replay them from a device other than the meter remote to the pump. Please refer to the mitigation section [see Resolution below] for details on controls in place to reduce this risk."

CWE-290: Authentication Bypass by Spoofing - CVE-2016-5686

The Animas OneTouch insulin pump uses a custom communications protocol that does not provide sufficient protections to guard against spoofed responses. Reportedly, it may be possible for an unauthenticated remote attacker to spoof acknowledgement packets to perform actions or commands on the device, or cause a remote to believe an acknowledgement was received after performing a command.

Impact

An unauthenticated remote attacker may be able to sniff patient treatment or device data from communications, or execute commands on the device and/or remote, or prevent actions from occurring by spoofing acknowledgement packets. The attacker cannot obtain personally identifying information.

Solution

Johnson and Johnson has provided the following statement:

"There are no plans to release a firmware update, however a notification is being sent to patients and HealthCare Professionals. In addition, there are a number of documented and proprietary mitigating controls in place to ensure the safe delivery of insulin, outlined below.
i.\tIf patients are concerned about unauthorized access for any reason, the pump’s radio frequency feature can be turned off, which is explained in Chapter 2 of Section III of the OneTouch® Ping® Owner’s Booklet. However, turning off this feature means that the pump and meter will no longer communicate and blood glucose readings will need to be entered manually on the pump.
ii.\tIf patients choose to use the meter remote feature, another option for protection is to program the OneTouch® Ping® pump to limit the amount of bolus insulin that can be delivered. Bolus deliveries can be limited through a number of customizable settings (maximum bolus amount, 2-hour amount, and total daily dose). Any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery. For more information, please see Chapter 10 of Section I of the OneTouch® Ping® Owner’s Booklet.
iii.\tThe company also suggests turning on the Vibrating Alert feature of the OneTouch® Ping® System, as described in Chapter 4 of Section I. This notifies the user that a bolus dose is being initiated by the meter remote, which gives the patient the option of canceling the bolus.
iv.\tThe bolus delivery alert and the customizable limits on bolus insulin can only be enabled on the pump and cannot be altered by the meter remote. This is also true of basal insulin. Patients can also be reminded that any insulin delivery and the source of the delivery (pump or meter remote) are recorded in the pump history, so patients can review the bolus dosing."

Vendor Information

884840
 

Johnson & Johnson Affected

Notified:  May 09, 2016 Updated: October 04, 2016

Statement Date:   September 27, 2016

Status

Affected

Vendor Statement

"There are no plans to release a firmware update, however a notification is being sent to patients and HealthCare Professionals. In addition, there are a number of documented and proprietary mitigating controls in place to ensure the safe delivery of insulin, outlined below.

i.If patients are concerned about unauthorized access for any reason, the pump’s radio frequency feature can be turned off, which is explained in Chapter 2 of Section III of the OneTouch® Ping® Owner’s Booklet. However, turning off this feature means that the pump and meter will no longer communicate and blood glucose readings will need to be entered manually on the pump.
ii.If patients choose to use the meter remote feature, another option for protection is to program the OneTouch® Ping® pump to limit the amount of bolus insulin that can be delivered. Bolus deliveries can be limited through a number of customizable settings (maximum bolus amount, 2-hour amount, and total daily dose). Any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery. For more information, please see Chapter 10 of Section I of the OneTouch® Ping® Owner’s Booklet.
iii.The company also suggests turning on the Vibrating Alert feature of the OneTouch® Ping® System, as described in Chapter 4 of Section I. This notifies the user that a bolus dose is being initiated by the meter remote, which gives the patient the option of canceling the bolus.
iv.The bolus delivery alert and the customizable limits on bolus insulin can only be enabled on the pump and cannot be altered by the meter remote. This is also true of basal insulin. Patients can also be reminded that any insulin delivery and the source of the delivery (pump or meter remote) are recorded in the pump history, so patients can review the bolus dosing."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:OF/RC:C
Environmental 6.5 CDP:H/TD:M/CR:H/IR:H/AR:H

References

Acknowledgements

Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-5084, CVE-2016-5085, CVE-2016-5086, CVE-2016-5686
Date Public: 2016-10-04
Date First Published: 2016-10-04
Date Last Updated: 2016-10-11 20:13 UTC
Document Revision: 53

Sponsored by CISA.