9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.013 Low
EPSS
Percentile
86.2%
Rapid7 has identified vulnerabilities in the cybersecurity of the Animas OneTouch Ping insulin pump system. Animas will not be releasing a patch or new version to mitigate these vulnerabilities. Animas has provided compensating controls to help reduce the risk associated with the exploitation of the identified vulnerabilities, and these compensating controls may impact device functionality.
These vulnerabilities could be exploited remotely via radio frequency communications.
Detailed vulnerability information is publicly available that could be used to develop an exploit that targets these vulnerabilities.
The following OneTouch Ping insulin pump system versions are affected:
Successful exploitation of these vulnerabilities may allow an attacker to spoof radio frequency communications between the meter remote and the pump to issue unauthorized commands or replay captured communications to control the pump, to include administering insulin. The impact associated with the successful exploitation of these vulnerabilities could have a direct impact on patient safety.
Animas is a subsidiary of Johnson & Johnson and is a US-based company that maintains offices in several countries around the world.
The affected product, the OneTouch Ping insulin pump system, is a two-part system consisting of a meter remote that uses radio frequency communication to wirelessly communicate to the pump to deliver insulin.
According to Animas, the OneTouch Ping insulin pump system is deployed across the Healthcare and Public Health sector. Animas states that this product is marketed in the U.S. and Canada.
All communications between the meter remote unit and the pump are transmitted in cleartext.
CVE-2016-5084NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5084, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, web site last accessed October 05, 2016.
The setup of the Animas OneTouch Ping insulin pump system involves a pairing process during which a checksum is generated, which is then used as an encryption key during communications. This value does not change between authentication handshakes between the meter remote unit and the pump.
CVE-2016-5085NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5085, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N , web site last accessed October 05, 2016.
An attacker can capture remote transmissions between the meter remote unit and the pump and replay them to initiate unauthorized commands, to include administering insulin.
CVE-2016-5086NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5086, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L).CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L, web site last accessed October 05, 2016.
These vulnerabilities could be exploited remotely via radio frequency communications.
Detailed vulnerability information is publicly available that could be used to develop an exploit that targets these vulnerabilities.
An attacker with high skill would be able to exploit these vulnerabilities.
Animas does not plan to release a firmware update to address the identified vulnerabilities. Animas reports that customer notifications are being sent to patients and HealthCare professionals, which is available on Animasβ web site at the following location:
Animas has provided the following compensating controls to help reduce the risk associated with the exploitation of the identified vulnerabilities:
For additional information about the vulnerabilities or the compensating controls, users can contact the Animas Customer Technical Support at:
[email protected] or 1-877-937-7867.
NCCIC/ICS-CERT reminds users to perform proper impact analysis and risk assessment prior to deploying compensating controls.
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Animas%20OneTouch%20Ping%20Insulin%20Pump%20Vulnerabilities+https://www.cisa.gov/news-events/ics-medical-advisories/icsma-16-279-01
www.animas.com/sites/default/files/pdf/FINAL%20Letter%20to%20patients%20regarding%20OTP_10.04.16.16_WEB%20VERSION.PDF
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-16-279-01&title=Animas%20OneTouch%20Ping%20Insulin%20Pump%20Vulnerabilities
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-16-279-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-medical-advisories/icsma-16-279-01
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Animas%20OneTouch%20Ping%20Insulin%20Pump%20Vulnerabilities&body=www.cisa.gov/news-events/ics-medical-advisories/icsma-16-279-01
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.013 Low
EPSS
Percentile
86.2%