Cyber bug in J&J’s insulin pump

Johnson & Johnson is warning users of a cyber security bug in one of its insulin pumps that could allow a hacker to overdose diabetic patients, Reuters has learned. Fred Katayama reports.

(REUTERS / JOHNSON & JOHNSON) – A frightening prospect: a hacker overdoses diabetic patients with insulin. Reuters has learned Johnson & Johnson is warning diabetic patients that a hacker could exploit a cyber security bug in one of its insulin pumps.

At issue: the J&J Animas OneTouch Ping. Patients can use its wireless remote control to tell the pump to dose insulin. The hacking researcher who reported the vulnerability to J&J, Rapid7 senior security consultant Jay Radcliffe, said hackers could gain access because that communication is not encrypted.

The company sent out letters Monday to doctors and 114,000 patients in the U.S., saying, “The probability of unauthorized access to the OneTouch Ping system is extremely low.” J&J told Reuters the system is safe and reliable.

It said users could prevent potential attacks by not using the remote control and by programming the pump to limit the maximum dose. Radcliffe, who is working with J&J on the issue, agrees, saying users would be safe if they followed J&J’s steps outlined in the letter. The Food and Drug Administration declined comment on J&J’s handling of the bug.