Today we are announcing three vulnerabilities in the Animas OneTouch Ping insulin pump system, a popular pump with a blood glucose meter that services as a remote control via RF communication. Before we get into the technical details, we want to flag that we believe the risk of wide scale exploitation of these insulin pump vulnerabilities is relatively low, and we don't believe this is cause for panic. We recommend that users of the devices consult their healthcare providers before making major decisions regarding the use of these devices. More on that further down in this post.
Users should also be receiving notification of this issue, along with details for mitigating it, directly from Animas Corporation, via physical mail. We recommend you pay close attention to this communication.
The OneTouch Ping is a popular medical device used by diabetic patients to self-administer insulin. According to the vendor's website, it is a "two-part system" that "communicates wirelessly to deliver insulin." The two devices communicate in the 900mhz band using a proprietary management protocol.
Summary of findings
The OneTouch Ping insulin pump system uses cleartext communications rather than encrypted communications, in its proprietary wireless management protocol. Due to this lack of encryption, Rapid7 researcher Jay Radcliffe discovered that a remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.
Due to these insulin vulnerabilities, an adversary within sufficient proximity (which can depend on the radio transmission equipment being used) can remotely harm users of the system and potentially cause them to have hypoglycemic reaction, if he or she does not cancel the insulin delivery on the pump.
These issues have been reported to the vendor, Animas Corporation, CERT/CC, the FDA and DHS. Animas has been highly responsive and is proactively notifying users of the devices, and recommending mitigations for the risks.
Findings and analysis
Three major findings were discovered during the analysis of the product. For raw, uncommented packet data, please see the addendum at the end of this advisory.
R7-2016-07.1: Communications transmitted in cleartext (CVE-2016-5084)
Packet captures demonstrate that the communications between the remote and the pump are transmitted in the clear. During the normal course of operation, de-identified blood glucose results and insulin dosage data is being leaked out for eavesdroppers to remotely receive.
R7-2016-07.2: Weak pairing between remote and pump (CVE-2016-5085)
There is a pairing process that is done during the setup of the pump that partners the pump with a remote. This is to prevent the pump from taking commands from other remotes that it might accidentally pick up transmissions from. The pairing process is done through a 5 packet exchange in the clear where the two devices exchange serial numbers and some header information. This is used to generate a CRC32 "key" (for lack of a better term). This key is used by the remote and pump in all future transmissions and is transmitted in the clear. The 5 packets are identical every time pairing process is done between the remote and insulin pump. This eliminates the possibility of the devices using encryption. Animas patent documents do not outline what exactly is used in the CRC generation, but it includes no encryption.
Attackers can trivially sniff the remote/pump key and then spoof being the remote or the pump. This can be done without knowledge of how the key is generated. This vulnerability can be used to remotely dispense insulin and potentially cause the patient to have a hypoglycemic reaction.
R7-2016-07.3: Lack of replay attack prevention or transmission assurance (CVE-2016-5086)
Communication between the pump and remote have no sequence numbers, timestamps, or other forms of defense against replay attacks. Because of this, attackers can capture remote transmissions and replay them later to perform an insulin bolus without special knowledge, which can potentially cause them to have hypoglycemic reaction.
In addition, the protocol the remote meter and pump use to communicate does not have elements that guarantee the devices have received the packets in a certain order or at all. It is believed that the weakness in this protocol would allow an attacker to perform a spoofed remote attack from a considerable distance from the user/patient. This would be done by a sufficiently powered remote sending commands to the pump in the blind, without needing to hear the acknowledgement packets.
This video demonstrates an attack on the Animas OneTouch Ping.
The OneTouch Ping does not communicate on 802.11 WiFi, or otherwise communicate on the internet. However, it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.
While the normal use case between the remote and pump is approximately 10 meters. In 2011, Barnaby Jack of McAfee, Inc. claimed an ability to perform a 900mHz band attack from 90 meters away with an external directional antenna (a commercial 3 element yagi), however he did not execute this attack against the OneTouch Ping.
Using industry standard encryption with a unique key pair would mitigate these issues.
Affected users can avoid these issues entirely by disabling the radio (RF) functionality of the device. On the OneTouch Ping Insulin Pump, this is done through the Setup -> Advanced -> Meter/10 screen, and selecting "RF = OFF".
In addition, the vendor has provided other mitigations for these issues, described on their website and in letters being sent to all patients using the pump and health care professionals.
Patients should consult with their own endocrinologist about any aspect of their ongoing medical care.
Researcher's note regarding mitigations
I am Jay Radcliffe, security researcher at Rapid7 and Type I diabetic. Five years ago when I first disclosed security vulnerabilities in an insulin device, I was shocked and overwhelmed with the number of concerned users that came to me looking for advice and help. Here we are again with new research on a medical device. If you are not technical and read the security advisory, you are probably more than worried. I would be too. So let me help clarify and explain some things from a patient perspective. Know that the device I did 90% of my research on, was the device I had attached to me for several years; I know how important this device is to a diabetic's health.
First, know that we take risks every day. We leave the house. We drive a car. We eat a muffin. We guess the amount of carbs. All entail risk. This research uncovers a previously unknown risk. This is similar to saying that there is risk of an asteroid hitting you, a car accident occurring or miscalculating the amount of insulin for that muffin you ate. Some of those risks are low (asteroid) some are high (insulin). This knowledge of risk allows individuals to make personal decisions. Most people are at limited risk of any of the issues related to this research. These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk.
Second, always take care of your diabetes first. We all know the dangers of high blood sugar and low blood sugar too. These risks often far outweigh the risks highlighted in this research. If you are concerned, work with your endocrinologist and device vendor to make sure you are making the best choices. Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.
Third, this research is done to make sure the future of our devices are safe. As these devices get more advanced, and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically. This research highlights why it is so important to wait for vendors, regulators and researchers to fully work on these highly complex devices. This is not something to be rushed into as there is a patient's life on the line. We all want the best technology right away, but done in a reckless, haphazard way puts the whole process back for everyone.
I do not pump right now. I take shots manually. Not because of the security risks of insulin pumps, but because that is what my doctor and I have chosen. If any of my children became diabetic and the medical staff recommended putting them on a pump, I would not hesitate to put them on an OneTouch Ping. It is not perfect, but nothing is. In this process I have worked with Animas and its parent company, Johnson & Johnson, and know that they are focused on taking care of the patient and doing what is right.
Finally, please know that neither Animas nor Johnson & Johnson has paid me or Rapid7 for any of the research done on the device described here. This is just the advice of one parent and a person who has spent 17 years counting carbs and taking a risk on how much insulin is right.
This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy.
- Thu, Apr 14, 2016: Attempted to contact the vendor at firstname.lastname@example.org, email@example.com, and several other aliases at both domains.
- Thu, Apr 21, 2016: Details disclosed to the vendor at firstname.lastname@example.org (PGP KeyID: 0xEC69B12DFF06A1CA)
- Mon, Apr 25, 2016: Animas initiated complaint handling process
- Fri, May 06, 2016: Further clarified details with vendor
- Mon, May 09, 2016: Details disclosed to CERT
- Thu, Jun 16, 2016: CVEs assigned by CERT
- Jul-Sep, 2016: Worked with Animas on validating the reported vulnerabilities
- Wed, Sep 21, 2016: Mitigations provided by the vendor
- Tue, Oct 04, 2016: Public disclosure
Addendum: Sample Packet Data
The following describes a sample packet captured between the insulin pump and the remote meter.
Status-1 REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L... REMOTE: 00 00 00 04 A3 5A 92 B2 4C 00 0E 0F .....Z..L... PUMP: 00 00 FF 00 1A D1 81 81 ........ REMOTE: 20 00 0E 00 BF DB CC 6F ......o PUMP: 03 00 F1 04 16 B9 B9 87 2C 01 00 00 ........,... REMOTE: 03 00 F8 00 31 FD C9 EE ....1... PUMP: 03 00 07 04 88 76 DA DD 2C 01 00 00 .....v..,... REMOTE: 03 00 12 00 F0 30 0E FC .....0.. PUMP: 20 00 ED 12 E7 BC 93 43 01 01 27 05 26 02 8F 00 ......C..'.&... PUMP: 57 45 45 4B 44 41 59 00 00 00 WEEKDAY... PUMP: 05 00 EA 00 D5 8F 84 B3