The good news about this hack is that you would need good timing and physical proximity to the wireless remote which instructs the pump to administer insulin; the bad news is that this is all that is needed and it could result in the death or hospitalization of the target. The vulnerability stems from the usual problem, the transmission between the remote and pump is done in the clear letting anyone who is looking retrieve serial numbers and codes. With that information you can then trigger a dose to be delivered or quite feasibly change the default amount of dosage the pump delivers, as was done previous with a different model.
IoT security as it applies to fridges and toasters is one thing; medical devices quite another. News of unauthorized access to pacemakers and other drug delivery systems which could result in death is not uncommon, yet companies continue to produce insecure systems. Adding even simply encryption to transmissions as well as firmware based dosage sizes should be trivial after the release of a product and even easier before it is released. Keep this in mind when you are seeking medical care, choosing devices which are less likely to kill you because of shoddy security makes sense. You can pop by Slashdot for links to some stories or wade into the comments if you so desire.
"Johnson and Johnson has revealed that its JJ Animas OneTouch Ping insulin pump is vulnerable to hackers, who could potentially force the device to overdose diabetic patients — however, it declares that the risk of this happening is very low."
Here is some more Tech News from around the web:
- Let's not meet up with JPEG 2000 – researchers find security hole in image codec @ The Register
- Apple's Use Of 'Sapphire' in iPhone Camera Lens Questioned in New Tests @ Slashdot
- DRAM contract prices to rise nearly 30% in 4Q16, says DRAMeXchange @ DigiTimes
- Win Loot with the Enlightened Raspberry Pi Contest @ Hack a Day
- Lenovo exec: Nope, not building Windows Phones @ The Register
- KNOXout: Samsung Knox vulnerabilities give hackers 'full control' of devices @ The Inquirer