The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device. The attacker cannot obtain personally identifiable information.
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2016-5084
The Animas OneTouch insulin pump transmits patient treatment data and device data such as encryption passwords over the network in cleartext. An unauthenticated remote attacker may be able to sniff all associated wireless transmissions from the device.
An unauthenticated remote attacker may be able to sniff patient treatment or device data from communications, or execute commands on the device and/or remote, or prevent actions from occurring by spoofing acknowledgement packets. The attacker cannot obtain personally identifying information.
Johnson and Johnson has provided the following statement:
Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability.
This document was written by Garret Wassermann.