Rapid7 and Johnson & Johnson disclosed three vulnerabilities in the Animas OneTouch Ping insulin pump system, flaws that could be remotely exploited. However, the attack is sophisticated, and both say the risk of exploitation is \u201crelatively low.\u201dOneTouch Ping is a medical device that comes with a wireless remote control patients can use to deliver insulin instead of accessing the device under their clothes. The Johnson & Johnson Animas device is described as a \u201ctwo-part system\u201d: the pump and a meter remote, which communicates wirelessly via RF communication \u201cto deliver insulin from the pump.\u201dThe flaws were discovered by Jay Radcliffe, a security researcher at Rapid7 and a diabetic who has previously disclosed vulnerabilities in an insulin device. This time, Radcliffe discovered the OneTouch Ping insulin pump system doesn\u2019t use encryption to communicate. An attacker could spoof communications between the pump and the remote in order to force doses of insulin.Rapid7 explained that because the communications are in cleartext, \u201ca remote attacker can spoof the Meter Remote and trigger unauthorized insulin injections.\u201dJohnson & Johnson took an unprecedented step, since the manufacturer is the first to issue a warning about cyber vulnerabilities. Animas \/ Johnson & Johnson According to Reuters, Johnson & Johnson sent letters (pdf) to doctors and about 114,000 patients in the United States and Canada. It said, \u201cThe probability of unauthorized access to the OneTouch Ping system is extremely low.\u201dAnimus was able to exploit the vulnerabilities disclosed in Radcliffe\u2019s research and confirmed \u201cthat a hacker could order the pump to dose insulin from a distance of up to 25 feet.\u201dRapid7 said, \u201cIt is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.\u201dNot wanting non-technical diabetics to panic, Radcliffe clarified, \u201cMost people are at limited risk of any of the issues related to this research. These are sophisticated attacks that require being physically close to a pump. Some people will choose to see this as significant, and for that they can turn off the RF\/remote features of the pump and eliminate that risk.\u201dHe advised against freaking out and removing the pump, since \u201cremoving an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.\u201dHe added that if his kids were to become diabetics, then he \u201cwould not hesitate to put them on a OneTouch Ping. It is not perfect, but nothing is. In this process I have worked with Animas and its parent company, Johnson & Johnson, and know that they are focused on taking care of the patient and doing what is right.\u201dRadcliffe did 90 percent of his research on the device that was attached to him for years. He wants medical devices to be safe in the future, urging vendors, regulators and researchers to work together.\u201cAs these devices get more advanced and eventually connect to the internet (directly or indirectly), the level of risk goes up dramatically,\u201d he said.Rapid7 first reached out to the vendor in April. In September, Johnson & Johnson provided mitigations. Today, October 4, the vulnerabilities were revealed to the public.Radcliffe told Reuters that OneTouch Ping users should follow the steps in the letter from Johnson & Johnson in order to be safe. It explained how to turn off the pump\u2019s radio frequency feature. Users who wish to leave RF on can limit the amount of bolus insulin that can be delivered, as well as turn on vibrating alerts; the alerts notify a patient that a dose is being initiated by the meter remote and gives them an option to cancel the dose.You can find Rapid7\u2019s full findings about the \u201ccommunications transmitted in cleartext, weak pairing between remote and pump, and lack of replay attack prevention or transmission assurance\u201d here. Additionally, there is a demonstration video of an attack on the Animas OneTouch Ping.