Skip to content
Flaw in Hospira hospital drug pumps could let through fatal doses
Naked Security Naked Security

Security hole in Hospira hospital drug pumps could let through fatal doses

An attacker who knows how to update the firmware - not a tough task, says security researcher Billy Rios - can change the dosage to a lethal limit.

Flaw in Hospira hospital drug pumps could let through fatal doses

Just last month, we wrote about an entry in the National Vulnerability Database that highlighted flaws in a range of drug infusion pumps.

It seems that well-known security researcher Billy (BK) Rios has been looking at how to exploit infusion pumps, too.

According to Wired, Rios ended up connected to a patient-controlled analgesia (PCA) device after recent surgery, only to recognize it as one of the pumps he’d recently been picking apart for security flaws.

The pump was the same brand that we wrote about last month – a Hospira LifeCare PCA – and Rios had already found in it the sort of vulnerability that very likely counteracted any feel-good factor provided by the analgesia it was administering.

Rios had found that the pump used so-called “drug libraries” – data that includes dosage limits to help insure the pumps operate safely – that could be updated without authentication.

The problem was that anybody on the hospital’s network – including an intruder remotely accessing a pump via the internet – could raise the dose limits.

Even if an attacker couldn’t change the actual drug dosage, tampering with the drug library data might mean that the pump wouldn’t set off an alarm if an out-of-range dose were subsequently entered.

Now, the scenario with Hospira’s pumps has gotten much worse, Rios says.

Rios had, back in May 2014, recommended that Hospira analyze other models of its infusion pumps to see if they shared the same vulnerabilities with the ones he had tested, but five months later, he heard that the company was “not interested in verifying that other pumps are vulnerable.”

So Rios went out and picked up other Hospira pump models with the same firmware as the PCA.

After further testing, he confirmed to Wired that these pump models have far more serious vulnerabilities than the ones he tested last year: vulnerabilities that would, in fact, allow somebody to remotely change drug doses, as well as upping the maximum doses permitted.

Plum A+ drug pump from Hospira, image courtesy of Billy Rios

Wired drills down into how the firmware security flaw works, and it’s once again down to a lack of authentication.

→ Many articles about cryptography focus on secrecy, where you scramble data so an interloper can’t read it. But authentication and integrity are often more important, where you use cryptographic algorithms to make sure that data you are relying on comes from a trusted source, not from an imposter, and that it wasn’t altered along the way.

PCA serial cable, courtesy of Billy Rios

Hospira uses a special serial connection inside the device to access and update the firmware where the pumps’ operating system and software are store.

But firmware uploads sent across this serial link are not digitally signed.

In theory, then, you could alter the firmware in a pump without triggering any warning.

And if you can rewrite the firmware as you choose, you can pretty much program any behaviour you like into the pump, including changing doses, or ignoring dosage limits altogether.

Rios will be presenting his findings at the SummerCon hacker convention in July.

UPDATE: Hospira sent us a statement:

Supporting safe and effective delivery of medication is Hospira's priority. In the interest of patient safety, Hospira has been actively working with the Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA) regarding reported vulnerabilities in our infusion pumps. The company has communicated with customers on how to address the vulnerabilities following recent advisories from the FDA and DHS. There are no instances of cybersecurity breaches of Hospira devices in a clinical setting.


Exploiting cybersecurity vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These measures serve as the first and strongest defense against tampering, and the infusion systems provide an additional layer of security.

Images of Hospira pumps courtesy of Billy Rios. Image of hospital corridor courtesy of Shutterstock.


So these attacks require physical access?

If I can touch a device unbothered for a length of time, I already own it.


Firstly, it depends what you mean by “length of time.” It _is_ possible to construct devices that are pretty difficult to subvert even when you have physical access for an indefinite length of time without any restrictions or risk of being caught, and can dismantle or modify the device at will. Example: iPhone.

Secondly, these devices are networked and can be accessed over the network.

Thirdly, the devices support Wi-Fi as one sort of network interface.

Fourthly, at least some of the devices listen (or used to listen – this was the issue in the earlier vulnerablity linked to above) over TCP for plain, unencrypted, unauthenticated telnet connections that give you root.

Of all the devices that you’d think would make some effort at firmware signing, a PCA would surely be one…


So Hospira’s response is effectively, “So what? Our devices reside on an already protected network, and that’s good enough for us.”


It does seem a bit weird that the statement points out that “the infusion systems provide an additional layer of security”. After all, the article is about the fact that update authentication (digital signing) is a very relevant additional layer of security that the infusion systems *don’t* provide.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!