CVE-2016-5086 – CVE-2016-5086 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2016-5086?

CVE-2016-5086 has a CVSS score of 9.8 (CRITICAL). CVE-2016-5086 is an authentication bypass vulnerability in Johnson & Johnson Animas OneTouch Ping insulin pumps that allows attackers to replay previously captured communication packets to gain unauthorized access. This affects patients using these medical devices for insulin delivery, potentially allowing remote attackers to control insulin administration.

📋 TL;DR

CVE-2016-5086 is an authentication bypass vulnerability in Johnson & Johnson Animas OneTouch Ping insulin pumps that allows attackers to replay previously captured communication packets to gain unauthorized access. This affects patients using these medical devices for insulin delivery, potentially allowing remote attackers to control insulin administration.

💻 Affected Systems

Products:

Johnson & Johnson Animas OneTouch Ping Insulin Pump

Versions: All versions prior to firmware update addressing this vulnerability

Operating Systems: Embedded medical device firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices use unencrypted RF communication for remote control functionality.

📦 What is this software?

Onetouch Ping Firmware by Animas

View all CVEs affecting Onetouch Ping Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker could deliver lethal insulin doses to patient, causing severe hypoglycemia or death.

🟠

Likely Case

Unauthorized access to device settings allowing manipulation of insulin delivery rates, potentially causing dangerous blood sugar levels.

🟢

If Mitigated

With proper network segmentation and monitoring, risk reduces to unauthorized access attempts being detected before harm occurs.

🌐 Internet-Facing: HIGH - Devices communicate wirelessly and can be accessed remotely via radio frequency.

🏢 Internal Only: HIGH - Attackers within radio range (approximately 10-20 feet) can exploit without network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit tools and research published by Rapid7 and security researchers demonstrate practical attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware update released by Johnson & Johnson in 2016

Vendor Advisory: https://www.animas.com/safety-notice

Restart Required: Yes

Instructions:

1. Contact Johnson & Johnson/Animas for firmware update. 2. Follow medical device update procedures. 3. Verify new firmware version. 4. Test device functionality post-update.

🔧 Temporary Workarounds

Disable remote control feature

all

Disable the OneTouch Ping remote control functionality to prevent RF communication attacks

Device-specific menu settings to disable remote control

Physical isolation

all

Keep device in RF-shielded case when not in use to prevent unauthorized access

🧯 If You Can't Patch

Replace vulnerable devices with updated models or alternative insulin delivery systems
Implement strict physical security controls and monitoring for unauthorized RF signals near patient

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against Johnson & Johnson security bulletin. Devices manufactured before 2016 firmware update are vulnerable.

Check Version:

Check device settings menu for firmware version information

Verify Fix Applied:

Verify firmware version shows post-2016 update. Test RF communication requires authentication.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts
Unexpected RF communication patterns

Network Indicators:

Unusual RF signal patterns in medical device frequency ranges
Repeated authentication packets

SIEM Query:

Medical device logs showing authentication bypass or unexpected remote control commands

📊 Metadata

CVE ID: CVE-2016-5086

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: October 5, 2016

Last Updated: April 12, 2025

🔗 References

http://www.kb.cert.org/vuls/id/884840 Third Party Advisory,US Government Resource
http://www.kb.cert.org/vuls/id/BLUU-A9SQRS Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/93351
https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump Mitigation,Technical Description,Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01
http://www.kb.cert.org/vuls/id/884840 Third Party Advisory,US Government Resource
http://www.kb.cert.org/vuls/id/BLUU-A9SQRS Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/93351
https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multiple-vulnerabilities-in-animas-onetouch-ping-insulin-pump Mitigation,Technical Description,Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSMA-16-279-01

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-5086, you might also want to check these: