Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.2350 Animas OneTouch Ping Insulin Pump Vulnerabilities 7 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Animas OneTouch Ping Publisher: ICS-CERT Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2016-5086 CVE-2016-5085 CVE-2016-5084 Original Bulletin: https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01 Comment: Proof of concept code is publicly available and the vulnerabilities could directly impact patient safety. Note that a successful exploit requires close physical proximity to the pump. - --------------------------BEGIN INCLUDED TEXT-------------------- Advisory (ICSMA-16-279-01) Animas OneTouch Ping Insulin Pump Vulnerabilities Original release date: October 05, 2016 Legal Notice All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/. OVERVIEW Rapid7 has identified vulnerabilities in the cybersecurity of the Animas OneTouch Ping insulin pump system. Animas will not be releasing a patch or new version to mitigate these vulnerabilities. Animas has provided compensating controls to help reduce the risk associated with the exploitation of the identified vulnerabilities, and these compensating controls may impact device functionality. These vulnerabilities could be exploited remotely via radio frequency communications. Detailed vulnerability information is publicly available that could be used to develop an exploit that targets these vulnerabilities. AFFECTED PRODUCTS The following OneTouch Ping insulin pump system versions are affected: Animas OneTouch Ping insulin pump system, all versions. IMPACT Successful exploitation of these vulnerabilities may allow an attacker to spoof radio frequency communications between the meter remote and the pump to issue unauthorized commands or replay captured communications to control the pump, to include administering insulin. The impact associated with the successful exploitation of these vulnerabilities could have a direct impact on patient safety. BACKGROUND Animas is a subsidiary of Johnson & Johnson and is a US-based company that maintains offices in several countries around the world. The affected product, the OneTouch Ping insulin pump system, is a two-part system consisting of a meter remote that uses radio frequency communication to wirelessly communicate to the pump to deliver insulin. According to Animas, the OneTouch Ping insulin pump system is deployed across the Healthcare and Public Health sector. Animas states that this product is marketed in the U.S. and Canada. VULNERABILITY CHARACTERIZATION VULNERABILITY OVERVIEW CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION [a] All communications between the meter remote unit and the pump are transmitted in cleartext. CVE-2016-5084 [b] has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). [c] USE OF INSUFFICIENTLY RANDOM VALUES [d] The setup of the Animas OneTouch Ping insulin pump system involves a pairing process during which a checksum is generated, which is then used as an encryption key during communications. This value does not change between authentication handshakes between the meter remote unit and the pump. CVE-2016-5085 [e] has been assigned to this vulnerability. A CVSS v3 base score of 4.2 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). [f] AUTHENTICATION BYPASS BY CAPTURE-REPLAY [g] An attacker can capture remote transmissions between the meter remote unit and the pump and replay them to initiate unauthorized commands, to include administering insulin. CVE-2016-5086 [h] has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L). [i] VULNERABILITY DETAILS EXPLOITABILITY These vulnerabilities could be exploited remotely via radio frequency communications. EXISTENCE OF EXPLOIT Detailed vulnerability information is publicly available that could be used to develop an exploit that targets these vulnerabilities. DIFFICULTY An attacker with high skill would be able to exploit these vulnerabilities. MITIGATION Animas does not plan to release a firmware update to address the identified vulnerabilities. Animas reports that customer notifications are being sent to patients and HealthCare professionals, which is available on Animas web site at the following location: https://www.animas.com/sites/default/files/pdf/FINAL%20Letter%20to%20patients%20regarding%20OTP_10.04.16.16_WEB%20VERSION.PDF (link is external). Animas has provided the following compensating controls to help reduce the risk associated with the exploitation of the identified vulnerabilities: - - The pumps radio frequency feature can be turned off, which is explained in Chapter 2 of Section III of the OneTouch Ping Owners Booklet. However, turning off this feature means that the pump and meter remote will no longer communicate and blood glucose readings will need to be entered manually on the pump. - - If patients choose to use the meter remote feature, another option for protection is to program the OneTouch Ping pump to limit the amount of bolus insulin that can be delivered. Bolus deliveries can be limited through a number of customizable settings (maximum bolus amount, 2-hour amount, and total daily dose). Any attempt to exceed or override these settings will trigger a pump alarm and prevent bolus insulin delivery. For more information, please see Chapter 10 of Section I of the OneTouch Ping Owners Booklet. - - Animas also suggests turning on the Vibrating Alert feature of the OneTouch Ping system, as described in Chapter 4 of Section I. This notifies the user that a bolus dose is being initiated by the meter remote, which gives the patient the option of canceling the bolus. - - The bolus delivery alert and the customizable limits on bolus insulin can only be enabled on the pump and cannot be altered by the meter remote. This is also true of basal insulin. Patients can also be reminded that any insulin delivery and the source of the delivery (pump or meter remote) are recorded in the pump history, so your patients can review the bolus dosing. For additional information about the vulnerabilities or the compensating controls, users can contact the Animas Customer Technical Support at: RA-ANMUS-CustomSupp@its.jnj.com (link sends e-mail) or 1-877-937-7867. NCCIC/ICS-CERT reminds users to perform proper impact analysis and risk assessment prior to deploying compensating controls. a. CWE-319: Cleartext Transmission of Sensitive Information, https://cwe.mitre.org/data/definitions/319.html, web site last accessed October 05, 2016. b. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5084, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. c. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S..., web site last accessed October 05, 2016. d. CWE-330: Use of Insufficiently Random Values, https://cwe.mitre.org/data/definitions/330.html, web site last accessed October 05, 2016. e. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5085, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. f. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S... , web site last accessed October 05, 2016. g. CWE-294: Authentication Bypass by Capture-replay, https://cwe.mitre.org/data/definitions/294.html, web site last accessed October 05, 2016. h. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5086, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory. i. CVSS Calculator, https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., web site last accessed October 05, 2016. Contact Information For any questions related to this report, please contact ICS-CERT at: Email: ics-cert@hq.dhs.gov (link sends e-mail) Toll Free: 1-877-776-7585 International Callers: (208) 526-0900 For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV/chx4x+lLeg9Ub1AQiCZw//SGBjKpSBekU5dEy+n62XxOoQgLiyWcB/ oWlRkYxfQm56UaE/JLINxFvffTc3Gj0AN3k2XGw9W5O+rsBVlh1z3E0q2G/cYScP 5JxDXeslIwkuE0FDTk9P81AU1cnUcQp8OH5RBLbuXONK/fXGRqmg+iVF8bqyasqJ ZJduZPToiOuHW3Lxu4JsuAaj2p0kkozMd+jQy0lJEfQ5N2tc4POotnLsAsWTrDVQ UIYVCfA9bJVtooDNJQRKSD2GmusL6J2CtgF/AyD3mJxCKPOlpuHGj8M+xRt30j1m CPQIzJRAA6K1OUoO/NHsAU03TeZxiUJYFYtwxCPUhXg5KFN4kB20zXGcq4ELkIHo 5wqV+ilRSTc0l22Sm2rthu+Y261OgPVlGf1Z4m59wbek8e4DHiEBRysvtzJv6+nI XoNozS/jD91z6N/zfV6Xu1ULPkyu+kym85MV/S4pkG+LsIKjqtW/IZxeawnqVwGJ WojsWoFpLyAsKRsUdkmImB8paYV3QSkaPFyZRgFKHBEXd3znL43ADkBSsO5egawx GnHZ9YjQ8O3FvwKdKJHUSZr9+Itw2A6yQMAr2uQWuBfrtdP1FFw2rFuhaNQvy/Ds R5g2p+MB567uU5xdDO6wp8EKaRDH91S09k2tU78xAxqEbOUY7tM+qF6AeCvpwEGn +BxwoJqrMrs= =8sKA -----END PGP SIGNATURE-----