H-ISAC TLP White Vulnerability Report - Researchers Identify High-Severity Vulnerability in Insulet Omnipod Devices

Researchers have discovered a high-severity protocol design vulnerability in the Omnipod Insulin Management System which could allow a potential attacker to utilize replay-like techniques to send several programming commands of their choice to a targeted OmniPod device. Such commands include:

• A command to immediately inject insulin      
• A command to schedule insulin injections for later injection   
• A command to cancel insulin injections    
• A command to reconfigure and silently confirm alerts
• A command to kill the OmniPod pump completely

These commands can be sent without the consent of the user and without any alerts displaying on the user’s devices. The protocol design exploit has been tested and proven with Omnipod devices up 

to six meters away. However, researchers warn that this proof-of-concept demonstration has not been weaponized and could potentially be modified by malicious actors to allow successful exploration from even greater distances. Proof-of-concept code has not been released to the public but will be released at a later, unspecified time. Researchers from Omnipod have also included several mitigation strategies, which are included in this alert.

A full report from the researchers regarding the vulnerability can be accessed here.

An unlisted demo of the vulnerability, posted by the researchers, can be accessed here.

Disclosure Timeline:

• November 27th, 2020: First contact to Insulet
• November 27th, 2020: Contact with Danish Medicines Agency established        
• December 21st, 2020: Second reach out to Insulet
• Early November 2021: Danish media is contacted
• November 22nd, 2021: Insulet is forwarned about pending public and media release         
• November 25th, 2021: First response from Insulet
• November 25th, 2021: All appropriate information is sent to Insulet        
• November 25th, 2021: Official public release

View the detailed report below.