FDA calls halt to use of compromised drug infusion pumps
Several months ago, security experts indicated the risks of hacking older drug infusion pumps. It was discovered that certain versions of the Hospira's Lifecare PCA3 Drug Infusion pumps were affected by numerous remotely exploitable vulnerabilities, with the potential to open the doors to hackers to completely take over the devices.
Security expert and hacker, Billy Rios, found that both the FTP and telnet ports were left open on the Drug Infusion pumps and port 843 is accessible using default login password.
The US Food and Drug Administration has invited healthcare providers to stop using older drug infusion pumps made by Hospira. Hospira confirmed they are working with affected hospitals to solve the problem and are issuing an update to fix the security issues.
Rios discovered that the vulnerable systems are the Symbiq Infusion System and Hospira's Plum A+ Infusion System, Version 13.4 and previous versions, and Plum A+3 Infusion System 13.6 and earlier models.