Internet-connected drug pump found with "severe" exploitable flaw

News by Davey Winder

The US Department of Homeland Security has issued a warning via the National Vulnerability Database after a security researcher described an internet-connected drug infusion pump manufactured by Hospira as "literally the least secure IP enabled device I've ever touched in my life."

The warning, which scored a low on access complexity scale (meaning it was easily exploitable across the network) gained a maximum 10 out of 10 for both severity and impact according to the vulnerability summary.

The Hospira Lifecare PCA3 infusion pump, running software version 412, was discovered not to require any authentication for Telnet sessions making it easy for any remote attacker coming in via TCP port 23 to gain root privileges. The wireless encryption keys were apparently stored in plain text on the device, so anyone with physical access (such as a patient) could then access the 'Life Critical Network' responsible for administering the dosage. Unfortunately, that means the attacker would then have access to all the drug pumps connected to that network across the hospital.

This wasn't the first time that a Hospira infusion system had been found wanting, and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) had been working with the company since May 2014 to address the vulnerabilities. A new version of the control software, version 7.0, which closes the FTP and Telnet ports by default is currently being reviewed by the US Food and Drug Administration (FDA) before release according to an ICS-CERT update.

However, this still leaves several security concerns hanging in the air when the Internet of Things meets the healthcare marketplace. There is no doubt that IP connected medical devices have the ability to improve the care of those patients using them, but at what potential cost? Hospitals are generally perceived as a place of safety and the reality bears this out, including the realm of technology as they are generally both well connected and well protected.

"We need to be careful not to sensationalise extreme examples," warns Rob Lay, an enterprise and cyber-security solutions architect at Fujitsu, who continues, "All of the flaws mentioned are basic and have been around for a long time and these would be picked up by any reasonable review, analysis or standards check." Apart from the fact that they weren't, of course.

The problem being, according to Ken Munro, senior partner at Pen Test Partners, that manufacturers want to add functionality and value to increase revenue "but don't always factor security into the product development cycle." Certainly adding connectivity and IP functionality is a bolt-on competitive edge, but the risks are high when those manufacturers are not well-versed in matters of IT security.

It's not rocket science either; smart medical devices essentially behave as any network connected appliance, hence they need to have security mechanisms built-in that prevent unauthorised remote access. "Both hospitals and manufacturers need to be trained in basic security practices and held accountable for security shortcomings" warns Catalin Cosoi, chief security strategist at Bitdefender who continues, "although there have been no real-life cases where smart medical devices were used to “assassinate” people, we cannot turn a blind eye to the possibility." Talk of assassination may be a little far-fetched, but the highly personal and confidential nature of medical information does mean that the healthcare sector is very much on the cyber-criminal radar. As more devices become connected, and are found wanting in the security department, so attention may conceivably turn from data theft to blackmail.

One thing that everyone across the IT security profession can agree upon is that it has fast become a significant challenge for both regulatory and governmental bodies to ensure that standards are adapted to fit. Safety standards in healthcare have traditionally focused on the physical risk of a product and its components, but now need to "accurately and clearly identify digital risks and outline those minimum safety criteria" according to the VP of security research at Trend Micro, Rik Ferguson. 

"The best we can hope for in the future would be a kind of digital kite-mark, offering some assurance that physical goods have been designed and built to a certain standard of digital security" he concludes.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews