Just last month, we wrote about an entry in the National Vulnerability Database that highlighted flaws in a range of drug infusion pumps.
It seems that well-known security researcher Billy (BK) Rios has been looking at how to exploit infusion pumps, too.
According to Wired, Rios ended up connected to a patient-controlled analgesia (PCA) device after recent surgery, only to recognize it as one of the pumps he’d recently been picking apart for security flaws.
The pump was the same brand that we wrote about last month – a Hospira LifeCare PCA – and Rios had already found in it the sort of vulnerability that very likely counteracted any feel-good factor provided by the analgesia it was administering.
Rios had found that the pump used so-called “drug libraries” – data that includes dosage limits to help insure the pumps operate safely – that could be updated without authentication.
The problem was that anybody on the hospital’s network – including an intruder remotely accessing a pump via the internet – could raise the dose limits.
Even if an attacker couldn’t change the actual drug dosage, tampering with the drug library data might mean that the pump wouldn’t set off an alarm if an out-of-range dose were subsequently entered.
Now, the scenario with Hospira’s pumps has gotten much worse, Rios says.
Rios had, back in May 2014, recommended that Hospira analyze other models of its infusion pumps to see if they shared the same vulnerabilities with the ones he had tested, but five months later, he heard that the company was “not interested in verifying that other pumps are vulnerable.”
So Rios went out and picked up other Hospira pump models with the same firmware as the PCA.
After further testing, he confirmed to Wired that these pump models have far more serious vulnerabilities than the ones he tested last year: vulnerabilities that would, in fact, allow somebody to remotely change drug doses, as well as upping the maximum doses permitted.
Wired drills down into how the firmware security flaw works, and it’s once again down to a lack of authentication.
→ Many articles about cryptography focus on secrecy, where you scramble data so an interloper can’t read it. But authentication and integrity are often more important, where you use cryptographic algorithms to make sure that data you are relying on comes from a trusted source, not from an imposter, and that it wasn’t altered along the way.
Hospira uses a special serial connection inside the device to access and update the firmware where the pumps’ operating system and software are store.
But firmware uploads sent across this serial link are not digitally signed.
In theory, then, you could alter the firmware in a pump without triggering any warning.
And if you can rewrite the firmware as you choose, you can pretty much program any behaviour you like into the pump, including changing doses, or ignoring dosage limits altogether.
Rios will be presenting his findings at the SummerCon hacker convention in July.
UPDATE: Hospira sent us a statement:
Supporting safe and effective delivery of medication is Hospira's priority. In the interest of patient safety, Hospira has been actively working with the Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA) regarding reported vulnerabilities in our infusion pumps. The company has communicated with customers on how to address the vulnerabilities following recent advisories from the FDA and DHS. There are no instances of cybersecurity breaches of Hospira devices in a clinical setting.
...
Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These measures serve as the first and strongest defense against tampering, and the infusion systems provide an additional layer of security.
Images of Hospira pumps courtesy of Billy Rios. Image of hospital corridor courtesy of Shutterstock.
