Johnson & Johnson’s Warning About Its Hackable Insulin Pump Is Terrifying

Medical device makers don’t take security seriously enough at all.

Johnson & Johnson’s Warning About Its Hackable Insulin Pump Is Terrifying

Johnson & Johnson’s Animas OneTouch Ping insulin pump can be hacked by anyone within 25 feet of the user. With the right radio equipment, a hacker can take control of the pump and trigger unauthorized insulin injections. The Johnson & Johnson-owned Animas Corporation has sent a letter to users to warn them of the vulnerability.


The exploit is possible because there is almost no security designed into the pump. The details of the hack have been published by security researcher Rapid 7, but the basics are as follows: The pump has a wireless remote control, so that users can dose themselves without digging under their clothes to reach the pump itself. This wireless connection is unencrypted. Just like listening in on old-style police radio, anyone can tune in with the right gadget.

In its letter to customers, Johnson & Johnson said that “the OneTouch Ping System continues to be safe and effective for helping you manage your diabetes.” However, the letter also outlines steps to protect against attacks. This boils down to switching off the radio in the pump, but that means you can toss the remote control, because it’s useless now. If you like to live dangerously, you can keep the remote enabled, but limit the maximum dose on the unit itself, and enable a vibrating alert that buzzes every time a dose is administered.

The problem is that medical device makers don’t take security seriously enough. While entities like banks (theoretically) design their systems with security as a major feature, medical device manufacturers seem not to care for it at all. The problem is so pressing that a group of scientists and neurosurgeons have authored a paper exploring the dangers of what it calls “brainjacking.”

Similar issues exist around “internet of things” devices like Wi-Fi lightbulbs and internet-connected printers. The difference is that a weakness in a printer’s security will be used as a way into your home Wi-Fi network, whereas a hacked pacemaker, or brain implant, can kill you or even control your behavior. The other difference is that you can get rid of your smartphone-controlled toaster, but not your brain implant.

The Animas insulin pump isn’t connected to the internet, though, nor does it use Wi-Fi. But Rapid 7’s Jay Radcliffe (an insulin user himself) warns that it could still be hacked from afar. “While the normal use case between the remote and pump is approximately 10 meters,” he writes, “[…] it is believed these attacks could be performed from one to two kilometers away, if not substantially further, using sufficient elevation and off-the-shelf radio transmission gear available to ham radio hobbyists.”

But why would anyone attack? “Why not?” is the first answer, but there are more. Here’s a snippet from the aforementioned paper on brainjacking:


Attacks could be made for a variety of reasons including blackmail, malice against an individual, or manipulation of a politically notable individual. The motive need not even be rational; in 2008 a website for epilepsy sufferers was attacked using flashing images designed to trigger seizures, with the attackers’ apparent motivation being amusement

And just because nobody has figured out a good motivation to hack insulin pumps doesn’t mean that they can be left unsecured. The fact that it can be done means that it will be done, sooner or later. In the meantime, though, users of the vulnerable pump shouldn’t panic. First, you can disable remote control altogether by following the instruction in the manual (Setup -\> Advanced -\> Meter/10 screen, and selecting “RF = OFF”). And second, the risk really isn’t that high, especially compared to the risks of stopping your insulin doses. Radcliffe again:

Always take care of your diabetes first. We all know the dangers of high blood sugar and low blood sugar too. These risks often far outweigh the risks highlighted in this research. If you are concerned, work with your endocrinologist and device vendor to make sure you are making the best choices. Removing an insulin pump from a diabetic over this risk is similar to never taking an airplane because it might crash.

Have something to say about this article? You can email us and let us know. If it’s interesting and thoughtful, we may publish your response.

[All Photos: via OneTouch]

About the author

Previously found writing at, Cult of Mac and Straight No filter.