ICS-CERT Publishes Medical Device Advisory

This morning the DHS ICS-CERT published a medical control system advisory for multiple vulnerabilities in the Animas OneTouch Ping insulin pump system. The vulnerabilities were reported by Jay Radcliff of Rapid7 (Note: ICS-CERT does not credit Jay, just Rapid7). Animas (a subsidiary of Johnson and Johnson) has published compensating controls, but will not (apparently) be releasing a patch or new version to mitigate the vulnerabilities. Animas is directly notifying patients and health care professionals about the vulnerabilities and compensating controls.

The vulnerabilities reported are:

• Cleartext transmission of sensitive information - CVE-2016-5084;

• Use of insufficiently random values - CVE-2016-5085; and

• Authentication bypass by capture-replay - CVE-2016-5086

While ICS-CERT reports that detailed “vulnerability information is publicly available that could be used to develop an exploit that targets these vulnerabilities”, they claim that it would take a skilled attacker to remotely exploit the vulnerabilities. This may because an RF transceiver and relatively close access (normally 10 meters) would be required to exploit these vulnerabilities.

Rapid7 published their report on these vulnerabilities on their web site on September 28^th. The Animas patient letter was dated yesterday.

Commentary

I noted in a TWEET® this morning: “Inefficient but effective workarounds, how about an update to correct the problem? Or would that require complete redesign?” ICS-CERT briefly addresses this efficiency issue by noting that the “compensating controls may impact device functionality”. Radcliffe reminds us in the Rapid7 report that:

“First, know that we take risks every day. We leave the house. We drive a car. We eat a muffin. We guess the amount of carbs. All entail risk. This research uncovers a previously unknown risk. This is similar to saying that there is risk of an asteroid hitting you, a car accident occurring or miscalculating the amount of insulin for that muffin you ate. Some of those risks are low (asteroid) some are high (insulin). This knowledge of risk allows individuals to make personal decisions. Most people are at limited risk of any of the issues related to this research. These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the rf/remote features of the pump and eliminate that risk.”

Individuals can assess their personal risk that someone would conduct an attack on their person using these vulnerabilities to personally harm them by inducing hypoglycemia through an insulin overdose; most people would rate this risk of a personal attack as very low. What would be harder for an individual to assess is the risk of someone using this set of vulnerabilities to conduct an attack on Animas or Johnson and Johnson. Even a small number of publicized attacks on individual OneTouch Ping system owners could have a very serious financial impact on Johnson and Johnson in both liability costs and negative publicity costs. Individual device owners would probably have a difficult time assessing that risk to the operation of their insulin pumps. What is sad is that I suspect that Johnson and Johnson have not really evaluated the possibility of that sort of a corporate attack since their advisory letter sounds as if it had been written by the sales department, not the legal department.