Vulnerability Note VU#884840
Animas OneTouch Ping insulin pump contains multiple vulnerabilities
The Animas OneTouch Ping insulin pump contains multiple vulnerabilities that may allow an unauthenticated remote attacker to obtain patient treatment or device data, or execute commands on the device. The attacker cannot obtain personally identifiable information.
CWE-319: Cleartext Transmission of Sensitive Information - CVE-2016-5084
The Animas OneTouch insulin pump transmits patient treatment data and device data such as encryption passwords over the network in cleartext. An unauthenticated remote attacker may be able to sniff all associated wireless transmissions from the device.
CWE-330: Use of Insufficiently Random Values - CVE-2016-5085
The Animas OneTouch insulin pump uses a CRC32 checksum as if it were an encryption key. This value then does not change between authentication handshakes between the same device and remote station. According to Animas and Rapid7, "A malicious actor may be able to listen to communication between the pump and meter remote and obtain the necessary information to spoof being the meter remote."
CWE-294: Authentication Bypass by Capture-replay - CVE-2016-5086
The Animas OneTouch insulin pump uses a custom communication protocol that does not provide sufficient protections to guard against capture-replay attacks. According to Animas and Rapid7, "Once a malicious actor has spoofed being the meter remote, he/she could learn commands a patient initiate from the meter remote to the pump and attempt to replay them from a device other than the meter remote to the pump. Please refer to the mitigation section [see Resolution below] for details on controls in place to reduce this risk."
CWE-290: Authentication Bypass by Spoofing - CVE-2016-5686
The Animas OneTouch insulin pump uses a custom communications protocol that does not provide sufficient protections to guard against spoofed responses. Reportedly, it may be possible for an unauthenticated remote attacker to spoof acknowledgement packets to perform actions or commands on the device, or cause a remote to believe an acknowledgement was received after performing a command.
An unauthenticated remote attacker may be able to sniff patient treatment or device data from communications, or execute commands on the device and/or remote, or prevent actions from occurring by spoofing acknowledgement packets. The attacker cannot obtain personally identifying information.
Johnson and Johnson has provided the following statement:
i. If patients are concerned about unauthorized access for any reason, the pump’s radio frequency feature can be turned off, which is explained in Chapter 2 of Section III of the OneTouch® Ping® Owner’s Booklet. However, turning off this feature means that the pump and meter will no longer communicate and blood glucose readings will need to be entered manually on the pump.
ii. If patients choose to use the meter remote feature, another option for protection is to program the OneTouch® Ping® pump to limit the amount of bolus insulin that can be delivered. Bolus deliveries can be limited through a number of customizable settings (maximum bolus amount, 2-hour amount, and total daily dose). Any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery. For more information, please see Chapter 10 of Section I of the OneTouch® Ping® Owner’s Booklet.
iii. The company also suggests turning on the Vibrating Alert feature of the OneTouch® Ping® System, as described in Chapter 4 of Section I. This notifies the user that a bolus dose is being initiated by the meter remote, which gives the patient the option of canceling the bolus.
iv. The bolus delivery alert and the customizable limits on bolus insulin can only be enabled on the pump and cannot be altered by the meter remote. This is also true of basal insulin. Patients can also be reminded that any insulin delivery and the source of the delivery (pump or meter remote) are recorded in the pump history, so patients can review the bolus dosing."
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Johnson & Johnson||Affected||09 May 2016||04 Oct 2016|
CVSS Metrics (Learn More)
Thanks to Tod Beardsley of Rapid7 for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2016-5084 CVE-2016-5085 CVE-2016-5086 CVE-2016-5686
- Date Public: 04 Oct 2016
- Date First Published: 04 Oct 2016
- Date Last Updated: 11 Oct 2016
- Document Revision: 52