Skip to main content

SOOIL Diabecare RS Insulin Pump Vulnerabilities

Nine vulnerabilities in SOOIL's Dana Diabecare RS insulin pump and it's mobile apps have been disclosed any the manufacturer. Seven of the vulnerabilities appear to be the result of a poor implementation of the Bluetooth Low energy communication protocol.

Threat ID:
CC-3722
Threat Severity:
Low
Published:
14 January 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Nine vulnerabilities in SOOIL's Dana Diabecare RS insulin pump and it's mobile apps have been disclosed any the manufacturer. Seven of the vulnerabilities appear to be the result of a poor implementation of the Bluetooth Low energy communication protocol.

Affected platforms

The following platforms are known to be affected:

SOOIL Dana Diabecare RS Versions: all prior to 3.0

SOOIL AnyDana-i Versions: all prior to 3.0

SOOIL AnyDana-A Versions: all prior to 3.0

Threat details

Introduction

SOOIL Development has released details of nine vulnerabilities affecting their Dana Diabecare RS insulin pump and two attendant mobile applications. They claim that a local attacker could exploit some or all of these vulnerabilities to bypass authentication steps, alter therapy parameters, or cause a denial-of-service condition.

Vulnerability details

Seven of the nine vulnerabilities appear to be the result of flaws in the the pump and applications implement the Bluetooth Low Energy (BLE) protocol.

  • CVE-2020-27256 - Dana Diabecare RS pumps use a hard-coded administration PIN. A physical attacker could use this to alter insulin delivery settings.
  • CVE-2020-27258 - The AnyDana (AnyDana-i and AnyDana-A) applications expose authentication data when using BLE to connect to pump systems. An attacker can extract the pump keypad lock PIN.
  • CVE-2020-27264 - The AnyDana applications use deterministic key during authentication, allowing a local, unauthenticated attacker to brute-force these keys via BLE.
  • CVE-2020-27266 - Dana Diabecare RS pumps and the AnyDana applications have a client-side control vulnerability allowing a local, unauthenticated attacker to bypass authentication over BLE.
  • CVE-2020-27268 - Dana Diabecare RS pumps and the AnyDana applications allow a local, unauthenticated attacker to bypass default PIN checks via BLE.
  • CVE-2020-27269 - Dana Diabecare RS pumps and the AnyDana applications do not include replay protection measures, allowing a local, unauthenticated attacker to replay communication sequences via BLE.
  • CVE-2020-27270 - Dana Diabecare RS pumps and the AnyDana applications doing not adequately protect encryption keys in transit, allowing a local, unauthenticated attacker to extract these keys via BLE.
  • CVE-2020-27272 - Dana Diabecare RS pumps and the AnyDana applications do not adequately authenticate each other before exchanging keys, allowing a local, unauthenticated attacker to spoof the pump via BLE.
  • CVE-2020-27276 - Dana Diabecare RS pumps and the AnyDana applications do not adequately authenticate entities before exchanging keys, allowing a local, unauthenticated attacker to eavesdrop the authentication sequence via BLE.

Remediation advice

SOOIL has confirmed that version 3.0 of their Dana Diabecare RS and AnyDana software addresses all nine vulnerabilities. Affected organisations are encouraged to contact their relevant suppliers and ensure any vulnerable devices are updated accordingly.

Additionally, SOOIL recommends users who cannot update only operate their pumps in Airplane Mode.

Last edited: 17 January 2022 5:52 pm