Johnson & Johnson is warning diabetes patients of a defect with one of its insulin pumps which could theoretically allow hackers to access to the pump and maliciously overdose patients with insulin.
The vulnerability lies in the OneTouch Insulin Pump’s unencrypted radio frequency communication system, the company said in a statement. But it characterized the risk as “extremely low.” Hackers would need sophisticated equipment and close physical proximity — within 25 feet of the device — as the system is not connected to the internet or any external network, the company said.
Diabetics use insulin pumps to keep their blood sugar steady between meals. Patients using the OneTouch Insulin Pump — sold by Animas, a Johnson & Johnson company — can give themselves insulin through a wireless remote control, which communicates with the pump via radio frequency.
The pumps, which have been on the market since 2008, are reportedly used by 114,000 patients in the U.S. and Canada.
The company insists the pump is still safe and effective to use, and outlined ways in which patients can eliminate the risk of outside influence. Those who are concerned could turn off the pump’s radio frequency, program the pump to limit the amount of bolus insulin that it can deliver, and turn on vibration alerts, which would alert patients whenever a dose is being initiated by a meter remote.
Jay Radcliffe, a researcher with the internet security company Rapid 7, identified the product flaw, according to USA Today.
Radcliffe said it’s important to note that insulin pumps run on a much longer development cycle than other technologies, like cellphones.
“This pump was probably designed ten or 15 years ago, when no one was thinking about security around communications protocols,” he told USA Today, adding that Johnson & Johnson has “done a great job” responding to the vulnerability.