Operating System:

[Appliance]

Published:

07 October 2016

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2016.2350 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2350
             Animas OneTouch Ping Insulin Pump Vulnerabilities
                              7 October 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Animas OneTouch Ping
Publisher:         ICS-CERT
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2016-5086 CVE-2016-5085 CVE-2016-5084

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01

Comment: Proof of concept code is publicly available and the vulnerabilities 
         could directly impact patient safety. Note that a successful exploit
         requires close physical proximity to the pump.

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSMA-16-279-01)

Animas OneTouch Ping Insulin Pump Vulnerabilities

Original release date: October 05, 2016

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided
"as is" for informational purposes only. The Department of Homeland Security 
(DHS) does not provide any warranties of any kind regarding any information 
contained within. DHS does not endorse any commercial product or service, 
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For 
more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW

Rapid7 has identified vulnerabilities in the cybersecurity of the Animas 
OneTouch Ping insulin pump system. Animas will not be releasing a patch or new
version to mitigate these vulnerabilities. Animas has provided compensating 
controls to help reduce the risk associated with the exploitation of the 
identified vulnerabilities, and these compensating controls may impact device
functionality.

These vulnerabilities could be exploited remotely via radio frequency 
communications.

Detailed vulnerability information is publicly available that could be used to
develop an exploit that targets these vulnerabilities.

AFFECTED PRODUCTS

The following OneTouch Ping insulin pump system versions are affected:

    Animas OneTouch Ping insulin pump system, all versions.

IMPACT

Successful exploitation of these vulnerabilities may allow an attacker to 
spoof radio frequency communications between the meter remote and the pump to
issue unauthorized commands or replay captured communications to control the 
pump, to include administering insulin. The impact associated with the 
successful exploitation of these vulnerabilities could have a direct impact on
patient safety.

BACKGROUND

Animas is a subsidiary of Johnson & Johnson and is a US-based company that 
maintains offices in several countries around the world.

The affected product, the OneTouch Ping insulin pump system, is a two-part 
system consisting of a meter remote that uses radio frequency communication to
wirelessly communicate to the pump to deliver insulin.

According to Animas, the OneTouch Ping insulin pump system is deployed across
the Healthcare and Public Health sector. Animas states that this product is 
marketed in the U.S. and Canada.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION [a]

All communications between the meter remote unit and the pump are transmitted
in cleartext.

CVE-2016-5084 [b] has been assigned to this vulnerability. A CVSS v3 base score 
of 6.5 has been assigned; the CVSS vector string is 
(AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). [c]

USE OF INSUFFICIENTLY RANDOM VALUES [d]

The setup of the Animas OneTouch Ping insulin pump system involves a pairing 
process during which a checksum is generated, which is then used as an 
encryption key during communications. This value does not change between 
authentication handshakes between the meter remote unit and the pump.

CVE-2016-5085 [e] has been assigned to this vulnerability. A CVSS v3 base score 
of 4.2 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). [f]

AUTHENTICATION BYPASS BY CAPTURE-REPLAY [g]

An attacker can capture remote transmissions between the meter remote unit and
the pump and replay them to initiate unauthorized commands, to include 
administering insulin.

CVE-2016-5086 [h] has been assigned to this vulnerability. A CVSS v3 base score 
of 6.4 has been assigned; the CVSS vector string is 
(AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L). [i]

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely via radio frequency 
communications.

EXISTENCE OF EXPLOIT

Detailed vulnerability information is publicly available that could be used to
develop an exploit that targets these vulnerabilities.

DIFFICULTY

An attacker with high skill would be able to exploit these vulnerabilities.

MITIGATION

Animas does not plan to release a firmware update to address the identified 
vulnerabilities. Animas reports that customer notifications are being sent to
patients and HealthCare professionals, which is available on Animas web site 
at the following location:

https://www.animas.com/sites/default/files/pdf/FINAL%20Letter%20to%20patients%20regarding%20OTP_10.04.16.16_WEB%20VERSION.PDF
(link is external).

Animas has provided the following compensating controls to help reduce the 
risk associated with the exploitation of the identified vulnerabilities:

- - The pumps radio frequency feature can be turned off, which is explained in
Chapter 2 of Section III of the OneTouch Ping Owners Booklet. However, turning
off this feature means that the pump and meter remote will no longer 
communicate and blood glucose readings will need to be entered manually on the
pump.

- - If patients choose to use the meter remote feature, another option for 
protection is to program the OneTouch Ping pump to limit the amount of bolus 
insulin that can be delivered. Bolus deliveries can be limited through a 
number of customizable settings (maximum bolus amount, 2-hour amount, and 
total daily dose). Any attempt to exceed or override these settings will 
trigger a pump alarm and prevent bolus insulin delivery. For more information,
please see Chapter 10 of Section I of the OneTouch Ping Owners Booklet.

- - Animas also suggests turning on the Vibrating Alert feature of the 
OneTouch Ping system, as described in Chapter 4 of Section I. This notifies 
the user that a bolus dose is being initiated by the meter remote, which gives
the patient the option of canceling the bolus.

- - The bolus delivery alert and the customizable limits on bolus insulin can
only be enabled on the pump and cannot be altered by the meter remote. This is
also true of basal insulin. Patients can also be reminded that any insulin 
delivery and the source of the delivery (pump or meter remote) are recorded in
the pump history, so your patients can review the bolus dosing.

For additional information about the vulnerabilities or the compensating 
controls, users can contact the Animas Customer Technical Support at:

RA-ANMUS-CustomSupp@its.jnj.com (link sends e-mail) or 1-877-937-7867.

NCCIC/ICS-CERT reminds users to perform proper impact analysis and risk 
assessment prior to deploying compensating controls.

a. CWE-319: Cleartext Transmission of Sensitive Information, 
https://cwe.mitre.org/data/definitions/319.html, web site last accessed 
October 05, 2016.

b. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5084, NIST 
uses this advisory to create the CVE web site report. This web site will be 
active sometime after publication of this advisory.

c. CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S..., 
web site last accessed October 05, 2016.

d. CWE-330: Use of Insufficiently Random Values, 
https://cwe.mitre.org/data/definitions/330.html, web site last accessed 
October 05, 2016.

e. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5085, NIST 
uses this advisory to create the CVE web site report. This web site will be 
active sometime after publication of this advisory.

f. CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S... ,
web site last accessed October 05, 2016.

g. CWE-294: Authentication Bypass by Capture-replay, 
https://cwe.mitre.org/data/definitions/294.html, web site last accessed 
October 05, 2016.

h. NVD, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5086, NIST 
uses this advisory to create the CVE web site report. This web site will be 
active sometime after publication of this advisory.

i. CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S..., 
web site last accessed October 05, 2016.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: ics-cert@hq.dhs.gov (link sends e-mail)

Toll Free: 1-877-776-7585

International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: 
http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can 
help by choosing one of the links below to provide feedback about this 
product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV/chx4x+lLeg9Ub1AQiCZw//SGBjKpSBekU5dEy+n62XxOoQgLiyWcB/
oWlRkYxfQm56UaE/JLINxFvffTc3Gj0AN3k2XGw9W5O+rsBVlh1z3E0q2G/cYScP
5JxDXeslIwkuE0FDTk9P81AU1cnUcQp8OH5RBLbuXONK/fXGRqmg+iVF8bqyasqJ
ZJduZPToiOuHW3Lxu4JsuAaj2p0kkozMd+jQy0lJEfQ5N2tc4POotnLsAsWTrDVQ
UIYVCfA9bJVtooDNJQRKSD2GmusL6J2CtgF/AyD3mJxCKPOlpuHGj8M+xRt30j1m
CPQIzJRAA6K1OUoO/NHsAU03TeZxiUJYFYtwxCPUhXg5KFN4kB20zXGcq4ELkIHo
5wqV+ilRSTc0l22Sm2rthu+Y261OgPVlGf1Z4m59wbek8e4DHiEBRysvtzJv6+nI
XoNozS/jD91z6N/zfV6Xu1ULPkyu+kym85MV/S4pkG+LsIKjqtW/IZxeawnqVwGJ
WojsWoFpLyAsKRsUdkmImB8paYV3QSkaPFyZRgFKHBEXd3znL43ADkBSsO5egawx
GnHZ9YjQ8O3FvwKdKJHUSZr9+Itw2A6yQMAr2uQWuBfrtdP1FFw2rFuhaNQvy/Ds
R5g2p+MB567uU5xdDO6wp8EKaRDH91S09k2tU78xAxqEbOUY7tM+qF6AeCvpwEGn
+BxwoJqrMrs=
=8sKA
-----END PGP SIGNATURE-----