Hackers can tamper with medical drug pumps, leading to fatal outcomes
Researcher Billy Rios has discovered serious vulnerabilities in several types of drug infusion pumps manufactured by US-based company Hospira – vulnerabilities that can be exploited remotely by attackers looking to take control of the medical devices, and to effect changes that could threaten patients’ lives.
This is not the first time that Rios has discovered vulnerabilities in Hospira’s pumps: in May 2014, he reported to the Department of Homeland Security and the FDA several vulnerabilities that made it possible for an attacker to change medication dosage limits on the company’s PCA 3 Lifecare line of pumps.
The FDA eventually, a year later, released a security advisory about those first vulnerabilities, as they were also discovered by another researcher and their existence made public. In the year between the initial discovery and the publication of the advisory, Hospira has failed to patch the flaws.
In fact, when Rios first contacted them in 2014, they refused to test the other infusion pumps they sell for the vulnerabilities. This spurred Rios to continue with the research, and he purchased additional pumps to test them himself.
“What I found was very interesting, many of Hospira’s infusion pumps utilize identical software on their infusion pumps communications module, making them vulnerable to the exact same security issues associated with the PCA 3,” he shared in a blog post.
These vulnerabilities include the ability to forge drug library updates to the infusion pump, the existence of an unauthenticated telnet shell to root to the communications module, the use of identical hardcoded credentials, private keys and encryption certificates across different device lines, and outdated software.
Confirmed affected device lines are the following: CA 3 Lifecare, PCA 5 Lifecare, Plum A+ Infusion Pumps, PCA Lifecare, and Symbiq (no longer sold). Rios suspects (but still hasn’t verified) that the Plum A+3, Plum 360, Sapphire, and Sapphire Plus pumps are affected by the same vulnerabilities.
The newly discovered vulnerabilities would allow an attacker to remotely alter the devices’ firmware, as they accept unsigned, unauthenticated updates. The connection to the device can be made via the devices’ communication modules, which are connected to hospital networks.
Wired reports that Hospira claims that this attack is impossible, as the communication module and the circuit board (which contains the firmware) are physically separated.
But Rios discovered they are connected via a serial cable, and he plans to develop a Proof-of-Concept attack that will prove that he is right.