Overview
The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device. The attacker cannot obtain personally identifiable information.
Description
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2016-5084 The Animas OneTouch insulin pump transmits patient treatment data and device data such as encryption passwords over the network in cleartext. An unauthenticated remote attacker may be able to sniff all associated wireless transmissions from the device. |
Impact
An unauthenticated remote attacker may be able to sniff patient treatment or device data from communications, or execute commands on the device and/or remote, or prevent actions from occurring by spoofing acknowledgement packets. The attacker cannot obtain personally identifying information. |
Solution
Johnson and Johnson has provided the following statement: |
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Temporal | 7.3 | E:POC/RL:OF/RC:C |
Environmental | 6.5 | CDP:H/TD:M/CR:H/IR:H/AR:H |
References
Acknowledgements
Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
CVE IDs: | CVE-2016-5084, CVE-2016-5085, CVE-2016-5086, CVE-2016-5686 |
Date Public: | 2016-10-04 |
Date First Published: | 2016-10-04 |
Date Last Updated: | 2016-10-11 20:13 UTC |
Document Revision: | 53 |