Skip to content
Naked Security Naked Security

Smart pumps used by hospitals in IV drips vulnerable to attacks

Eight flaws were found in the pumps used to deliver precise doses of drugs - and where a misdose thanks to an attack could be fatal

Syringe pumps – those beeping boxes affixed to the pole in a hospital IV drip – have flaws that could be exploited by hackers to change the dosages being delivered to patients.

Researcher Scott Gayou found eight separate flaws in three versions of the MedFusion 4000 pump made by Smiths Medical, a division of the British multinational Smiths Group.

Hospital staff use syringe pumps to deliver precise amounts of fluids to patients, be they adults or newborn infants: the anaesthesia that keeps patients unconscious during surgery, for example, as well as drugs, blood, antibiotics, or other critical fluids.

Gayou’s discovery prompted the Department of Homeland Security (DHS) to issue an advisory warning last week.

DHS, or, rather, its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said in the advisory that successful exploitation of the vulnerabilities could allow a remote attacker to gain unauthorized access to the pumps, their communications and their operation:

Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.

In a letter to customers that acknowledged the flaws, Smith Medical on Thursday downplayed the likelihood of a successful exploit:

The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.

DHS’s alert detailed the vulnerabilities, which include a classic buffer overflow caused by a third-party pump component that fails to verify input buffer size prior to copying. Given that the pump receives this type of potentially malicious input infrequently, and under certain conditions, that one’s tough to exploit.

Also on the list of vulnerabilities are hard-coded credentials in a few spots; an FTP server on the pump that doesn’t require authentication if the pump is configured to allow FTP connections; storage of some passwords in the configuration file that are accessible if the pump is configured to allow external communications, and more.

Buffer overflows? Hard-coded credentials? If those sound familiar, they should: the vulnerabilities leave the devices open to well-known attacks, given that they don’t do much to check to see who’s connecting to them and don’t do a very good job of sanitizing any commands they receive.

That’s unnerving: these syringe pumps are used on all manner of patients, including on neonatal wards to treat premature babies. Precision in drug delivery via these pumps is crucial. When they work the way they’re supposed to – as they do in hospitals with reliable electricity to keep them running, as opposed to the mechanical pumps used in developing countries that have high dosing error rates – they can administer drugs in consistent, tiny amounts that are impossible for human nurses to achieve.

There’s no known exploit that’s occurred in the wild. Smiths Medical says it will release fixes in Version 1.6.1 for the Medfusion 4000 syringe infusion pumps in January 2018.

In the meantime, the company released mitigation protocols in the ICS-CERT advisory that it says will protect against exploit. Some of those steps include further segregation of the devices from other parts of hospitals’ networks, assigning the devices static IP addresses, routine backups, and other pieces of advice that come straight out of the typical good-password handbook:

  1. Apply proper password hygiene standards across systems (ie, use uppercase, lowercase, special characters, and a minimum character length of eight).
  2. Do not re-use passwords.

We can help with No. 1 for sure: here’s a short, sweet, straight-talking video that not only shows you how to pick a proper password, but also explains why you should bother.


(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

As far as password reuse goes, there’s an ever-swelling list of stories about people’s accounts getting broken into because crooks found a password, then simply tried the credential out on any other site they could think of, be it on Netflix, Amazon, LinkedIn, Facebook, or National Lottery accounts.

But those stories pale in comparison to the possibility that password reuse could lead to a fatal overdose or underdose. Kudos and our thanks go to Scott Gayou for finding these flaws before harm could be done.

1 Comment

Are they wired, or wirelessly-networked? If wired, then the network itself could be secured. But, if wireless, all bets are off. In fact, unless wireless doesn’t exist, or exists and is turned off, the devices will always be vulnerable to attack from that vector.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!