Recently, a researcher uncovered a major security flaw in an insulin pump sold by Johnson and Johnson. The Animas OneTouch insulin pump has a WiFi feature that allows a diabetic patient wearing the device to give himself an injection of insulin without ever touching the pump itself.
While convenient, the pump has absolutely no security built into it. Any hacker who gets within twenty-five feet of the device could intercept the signal, review the dosing information which is simply stored as plain text, and change it to whatever value he liked, then issue an order to inject.
The end result is that the hacker could give the patient wearing the pump a potentially lethal dose.
Johnson and Johnson was made aware of the security flaw back in September, but has only just now begun notifying the 114,000 patients currently using the device that there’s an issue. The stated reason for the long delay was that the company wanted to reproduce the hack for themselves to study it.
This is by no means the first hack discovered among the rapidly expanding collection of internet objects, but it bears the distinction of being potentially lethal. No one is likely to die if their smart dishwasher gets hacked, but this takes the threat to a whole different level.
While Johnson and Johnson has published a workaround that should minimize the risks to the patients using their pump, so far, no plans have been announced to add digital security features to the device. This is, unfortunately, representative of a far broader trend.
Manufacturers seem quite eager to make and sell all manner of smart, internet-connected devices, but thus far, have been almost categorically unwilling to build even rudimentary security features into them. Until that changes, we can expect to hear more about exploits that enable even moderately talented hackers to take control of internet objects, and it’s just a matter of time until someone dies as a result.