A team of IBM security researchers uncovered a potential vulnerability in software from Thales that could affect insulin pumps.

IBM’s “X-Force Red” team discovered the internet of things (IoT) vulnerability that can be remotely exploited in September 2019 with Thales’ Cinterion EHS8 M2M module, according to a report from SecurityIntelligence.

The software is used in several internet-connected devices, which include medical monitoring devices such as insulin pumps for people with diabetes.

Thales confirmed the vulnerability can affect other modules within the same product line of the EHS8 (BGS5, EHS5/6/8, PDS5/6/8, ELS61, ELS81, PLS62), all of which are mini circuit boards that enable mobile communication in IoT devices.

According to the report, the modules store and run code containing confidential information, creating the potential for attackers to gain control of devices or networks and conduct widespread attacks, like overdosing a medical patient or even knocking out a city’s electricity.

The attacker could potentially manipulate readings from monitoring devices to cover up concerning vital signs or create false panic, while also being capable of over or underdosing patients receiving treatments like insulin that are based on inputs.

Once discovered, the vulnerability was reported to Thales, which worked with the IBM team and created a patch that was distributed to clients in February 2020. According to MedTech Dive, neither company has disclosed the names of clients whose insulin pumps are vulnerable.

The patch can either be plugged into a USB to run a software update or via an over-the-air (OTA) update, dependent on the manufacturer of the device and its capabilities. IBM’s team suggests that users of vulnerable devices apply the patch immediately, rethink what information is stored on the devices, apply new layers of security and be mindful of IoT and other potential vulnerabilities.