Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS: Drug Infusion Pumps Vulnerable To Trivial Hacks

Posted by samzenpus on from the maintaining-the-proper-dosage dept.

chicksdaddy writes with news of a DHS warning about the vulnerability of a popular brand of drug pumps. "The Department of Homeland Security warned that drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.

The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. DHS's Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory issued Tuesday that the MedNet software from the firm Hospira contains four critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.

The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios's discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps."

37 comments

  1. Hold the presses! by Anonymous Coward · · Score: 0

    Where's the flashy marketing name for this CVE? I'll call it infusiodoom!

  2. Hacking galore ! by Taco+Cowboy · · Score: 2

    It's not only the infusion pumps can be easily hacked, pace makers can also be hacked, as well as a zillion types of other medical equipments

    This is not all --- with the advent of the IoT (Internet of Things) and that average homes gonna be populated with devices that can be remotely connected, it will be a hacking galore for those who are savvy with technology

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Hacking galore ! by rmdingler · · Score: 1
      The interesting thing is the way mainstream folks go marching along voluntarily signing away the privacy rights to their final refuge.

      "Look, I can set the temperature on my thermostat from here!" or "Watch this Bubba... I can turn on the Spa heater an hour before getting home!"

      We're so accustomed to the exchange of freedom for security that now we're trading it for convenience.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    2. Re:Hacking galore ! by Anonymous Coward · · Score: 0

      We're so accustomed to the exchange of freedom for security that now we're trading it for convenience.

      Case in point, look what we've let the US federal government take from our states rights and ourselves. As we add items to the list of "basic human rights" we necessarily take away from the list of "basic human liberties." Sometimes the exchange makes sense, at least on the surface. However, the flow is only one way, and when a liberty goes, it is gone.

  3. Makes you wonder . . . by Anonymous Coward · · Score: 0

    1) BAD software developer
    2) software developer who didn't give a damn
    3) Repeat 1 & 2 but substitute management
    4) ?

  4. They should have used a NoSQL database. by Anonymous Coward · · Score: 2, Funny

    Like the summary states, they experienced this problem because they used a SQL database.

    If they had used a NoSQL database instead, then none of this would have happened.

    When you use most NoSQL databases, you can't run into a problem like "a plaintext, hard-coded password for the SQL database".

    Why is that? Because most NoSQL database systems don't even support risky functionality like authentication.

    See, if you don't even need to provide a password to access the database, then you don't need to securely store this password. Since there's no password to be stored, there's no way it can be compromised.

    NoSQL is the only way to go in situations like these. NoSQL technology goes out of its way to remove functionality that can be easily exploited.

    1. Re:They should have used a NoSQL database. by sjames · · Score: 1

      And of course, MongoDB is web scale!

  5. So what.. by Anonymous Coward · · Score: 0

    from all my reading here drugs are good and those pumps deliver drugs.. big deal, live with it.

  6. Reasons why I don't like the Internet of Things. by Anonymous Coward · · Score: 1

    Here's a list of reasons why I don't like the Internet of Things:

    1) Internet of Things devices could watch me while I sleep.

    2) Internet of Things devices could watch me while I pee.

    3) Internet of Things devices could watch me while I make kaka.

    4) Internet of Things devices could watch me while I pleasure myself.

    5) Internet of Things devices could watch me while I wash my body in the shower.

    6) Internet of Things devices could watch me while I relax in the tub.

    7) Internet of Things devices could watch me while I brush my teeth.

    8) Internet of Things devices could watch me while I make passionate love to my wife.

    9) Internet of Things devices could watch me while I brush my hair.

    10) Internet of Things devices could watch me while I read a book.

    11) Internet of Things devices could watch me while I read Slashdot.

    12) Internet of Things devices could watch me while I bake cake.

    13) Internet of Things devices could watch me while I put in my contact lenses.

    14) Internet of Things devices could watch me while I get ready to play golf.

    15) Internet of Things devices could watch me while I do my laundry.

    16) Internet of Things devices could watch me while I think about rugby.

    17) Internet of Things devices could watch me while I tie my shoes.

    18) Internet of Things devices could watch me while I celebrate the 4th of July.

    19) Internet of Things devices could watch me while I water my flowers.

    20) Internet of Things devices could watch me while I eat ham.

    21) Internet of Things devices could watch me while I use my stapler to staple documents.

    22) Internet of Things devices could watch me while I chew bubble gum.

    23) Internet of Things devices could watch me while I check the oil in my car.

    24) Internet of Things devices could watch me while I look for my TV remote.

    25) Internet of Things devices could watch me while I blow my nose.

    26) Internet of Things devices could watch me while I rearrange my stamp collection.

    27) Internet of Things devices could watch me while I listen to the Backstreet Boys.

    28) Internet of Things devices could watch me while I do my calisthenics.

    29) Internet of Things devices could watch me while I search for a paper clip.

    30) Internet of Things devices could send information about me to advertisers.

    31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.

    32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.

    33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.

    34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

    35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.

    36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.

    37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.

    38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.

    39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.

    40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.

    41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.

    42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

    43) Internet of Things devices could let advertisers use the data unsuspectingly coll

  7. Hardcoded DB password? by jythie · · Score: 1

    Generally the pay when working for medical device companies is pretty good, how in the world are they getting that lousy of programmers?

    Oh right, 'cultural compatibility'....

    1. Re:Hardcoded DB password? by Anonymous Coward · · Score: 0

      good luck finding a buyer for your product when they lose access to it and you can't provide the password because it's so secure

    2. Re:Hardcoded DB password? by Bob+the+Super+Hamste · · Score: 1

      I don't know how well the pay was at this company for their software people but my experience has been the offers from medical device companies for software people has been on the very low end, so I would imagine this would be the case here as well. The pay for MEs and EEs is probably much better and more inline with the norm but then I may just be making shit up as am not a ME or EE.

      --
      Time to offend someone
    3. Re:Hardcoded DB password? by jythie · · Score: 1

      I admit, that is a recurring pressure that company's have to contend with, though even that has some pretty good best practices for dealing with which do not involve a single hardcoded password across an entire product line.

    4. Re:Hardcoded DB password? by Anonymous Coward · · Score: 1

      I am posting this anonymously because I don't want to get into any trouble but I personally know of at least one embedded defibrillator product that uses a hard coded password for remote access over ssh to the hospital. I'm a consultant in the industry and I know for a fact that medical device coders are some of the worst around. They focus entirely on doing only what the FDA mandates and nothing else. All their effort is spent doing only *exactly* what they need to do to win FDA approval and nothing more.

    5. Re:Hardcoded DB password? by jythie · · Score: 1

      That culture alone is probably enough to drive most programmers away.

    6. Re:Hardcoded DB password? by Chris+Mattern · · Score: 1

      From what I hear, this is very, very typical of medical devices. Not even the most basic security precautions are observed, or other basic software principles. If it runs, it ships.

    7. Re:Hardcoded DB password? by Anonymous Coward · · Score: 1

      I work in pharmaceuticals and the attitudes are the same.

      There are actually plenty of decent folks in IT. Sure, most aren't at the Google level of software engineering, but they're competent enough.

      The problem is that there is ZERO priority on making something that does the job right, and total commitment to making something that will stand up in an FDA inspection. So, the emphasis is on tons of documentation and process. We'll write up 30 pages of justification for not fixing a bug that would require changing one line of code to fix, because doing that would require 300 more pages of documentation.

      The whole healthcare IT industry still largely aspires to be like aerospace in the 1970s.

      It is true that half the developers in the industry don't really appreciate these kinds of security issues and the right way to do things. However, the real problem is that the other half dare not point them out, because management doesn't want to hear about it, and they just expose themselves to various forms of punishment if they do point them out. They could be liable when the problem isn't fixed, they could just lose their job over some excuse or when the next wave of layoffs hits (the whole industry is going through lots of that), or they could be told to fix the problem on top of their existing 60 hour workweek writing pointless documentation without the time or resources to do it right, and then blamed when they don't actually fix it right.

      Until attitudes change you won't see this stuff fixed. If I saw something that had a reasonable chance of actually killing somebody I'd speak up about it because I couldn't sleep at night otherwise, but short of that I do what I have to do to keep my job, which is reasonably well-compensated and located in the right place.

    8. Re:Hardcoded DB password? by Anonymous Coward · · Score: 0

      That culture alone is probably enough to drive most programmers away.

      It depends. Where I live there isn't a lot of competition. I'm fairly confident I could land a job at Google or the like if I wanted to, but I'm well through my career and most big tech companies only have offices in big expensive cities and expect employees to come into the office. Most small tech companies pay peanuts, or involve too much risk for somebody far along in their career.

      Sure, I probably won't change the world, but I can still make contributions and since I don't live for work it is good enough. I care more about the contributions I make outside of work.

      In the end you'll still buy your crappy pacemaker because the FDA ensures that only companies that focus more on the paperwork than the product are allowed to sell you one. I'd love it if there were a revolt that changed things - I'd be the first in line to sign up to work for an innovative competitor who could actually afford to pay decent wages because they weren't locked out of the market by byzantine regulations.

    9. Re:Hardcoded DB password? by Anonymous Coward · · Score: 0

      There's no problem with the old solution of setting a jumper to on to bypass authentication. Especially for a pacemaker. If someone has physical access to it, you're already trusting them with everything anyway.

    10. Re:Hardcoded DB password? by sjames · · Score: 1

      Start with a good programmer. Give him incomplete requirements and demand a time estimate RIGHT NOW. Once you have extracted that, carve it in stone. Finally, sprinkle in a heap of additional requirements from marketing.

  8. drug infusion pump management software by Anonymous Coward · · Score: 1

    let me guess, runs on windows?

    1. Re:drug infusion pump management software by gtall · · Score: 1

      It might run on winders, but the bugs are not OS related. They are, however, related to the stupidity of Hospira and their software guys.

      One person above raised an interesting issue, which we have all known about. If you clamp down on security, users find the system unusable. Normally, this isn't such a big deal but in medical systems it is a very big dead due to the possibility of people dying as a result...either too much or too little. Solving this problem is critical for medical systems, i.e., how do you make the security tight but flexible enough to be properly managed. People do stupid things, like lose passwords, let viruses go inside security perimeters, etc.

    2. Re:drug infusion pump management software by machine321 · · Score: 1

      it is a very big [deal] due to the possibility of people dying as a result...either too much or too little.

      I think most people will consider too much dying to be the problem, not too little dying.

  9. Just reclassify them as design issues and it's OK by Bob+the+Super+Hamste · · Score: 1

    Just reclassify them as design issues and then things will be OK.

    --
    Time to offend someone
  10. Wasn't this an episode of Law and Order? by Anonymous Coward · · Score: 0

    It was. It definitely was.

    http://www.imdb.com/title/tt0098844/epcast

  11. Re:Makes you wonder . . . by Dr_Barnowl · · Score: 3, Informative

    The buck stops with management. They get the pay, they get the responsibility.

    Of course, they're the ones who assess performance as well. No way are they actually going to take the heat for that.

    So the story is : bad management. They're not putting in the appropriate checks and balances, probably because they cost money. They're not interested in making a good product, they want to pad their pay packets. So the buck goes all the way to the top, to the people who decide remuneration policies.

    If the software developers don't give a damn, they're not being selected or motivated appropriately by management.

    And this is one of the myriad reasons why bonus culture sucks.

  12. Re:Reasons why I don't like the Internet of Things by GrumpySteen · · Score: 1

    61 Internet of Things devices could let the world know that you lead a boring fucking life... oh wait, you're doing that on your own already.

  13. Remote access?! by Anonymous Coward · · Score: 0

    Why in the hell does something like an insulin pump even have the hardware for any sort of remote access? I'd like a peek into the head of whichever genius decided this would be a good idea - I bet it looks like the monkey pavilion at the zoo.

    I mean, seriously, it's not like the pump needs 24/7 network access, unless it has an integrated MP3 player that streams music from Spotify or whatever. Any sort of reprogramming or software/firmware updates can be done over a cable.

    1. Re:Remote access?! by bjwest · · Score: 1

      IOT. IOT! Every fucking thing including each led segment in my ovens digital display HAS TO FUCKING HAVE it's own IP address and access to the internet.

      Christ, dude. You want the world to end or something? Without every cell in our body connected to every other cell on the planet via the internet, we're all doomed!

      --

      --- Keep the choice with the user..
    2. Re:Remote access?! by fuzzyfuzzyfungus · · Score: 1

      I don't know what the state of insulin pumps is; but the product here is for in-hospital infusion pumps. I assume that the demand is basically "We have dozens to hundreds of these pumps all over the building(s), each one dispensing some drug on some schedule, with both of those changing from time to time on all units, and we want to be able to keep track of that. Also, some configuration errors could be fatal, so it would be nice to be able to check them against a data source larger and more frequently updated than anything internal to the pump."

      They clearly fucked up the implementation; but that's the sort of problem where I'd be sorely tempted to punch the vendor if I couldn't get a MIB out of them. I suspect that it doesn't help, at all, that hospital infusion pumps are very likely to be used with drugs that you can't necessarily trust all of your staff with(anesthetics have a habit of being zesty opiates, to which one or more of your staff may already have developed an addiction, let's see how long they can cover it up!) , so you have more limited options in terms of who you can send out with a programming cable and a strong incentive to get the data to a location where discrepancies are harder to hide.

  14. Re:Reasons why I don't like the Internet of Things by Anonymous Coward · · Score: 0

    It sounds to me like he lives a pretty full life. I know I don't do more than half of those things.

  15. And the solution is .. by DougPaulson · · Score: 2

    And the solution is to not connect your Drug Infusion Pumps to the Intertubes !

    1. Re:And the solution is .. by Mashiki · · Score: 1

      I honestly can't figure out why you'd want to in the first place. My sister was part of the original clinical trials of insulin pumps here in Canada, they were 'dumb' in all terms, and were manually adjusted. If she could figure out how to do everything at the age of 8 with no problems, then I'm pretty sure anyone else can.

      --
      Om, nomnomnom...
    2. Re:And the solution is .. by Anonymous Coward · · Score: 0

      The problem is support and updates. I work in the field of dark connected sites (aka no internet, airgaps, etc) and it's ever increasingly hard/impossible to get support for installation of software, updates or anything unless you plug into the interwebs. Vendors and companies build systems with a 'stuff you jack' attitude if you won't connect.

  16. Re:Makes you wonder . . . by Anonymous Coward · · Score: 0

    If the software developers don't give a damn, they're not being selected or motivated appropriately by management.

    Indeed, at my workplace I'd be punished for bringing something like this up. Management would tell me to fix it, and then blame me if I pointed out that it was a deep-seated design flaw that would take great expense to fix. Shoot the messenger, and you stop getting the message. Then you can go to the FDA and claim you had no idea the problem existed. Willful ignorance is the name of the game in any regulated US industry, which is pretty much all of it when you're talking about regulators like the SEC.

    Most people in IT are problem solvers who like to solve problems. The only reason they don't solve problems, is because they have incentive not to. Usually it is as simple as being overworked - if you have to work hard just to get a mediocre review, then the last thing somebody wants to do is take on extra work that won't be rewarded at all, and which will likely result in work which is rewarded slipping.

  17. Re:Reasons why I don't like the Internet of Things by Aighearach · · Score: 1

    I don't want the internet of things to watch me while I make passionate love to your wife, either.

  18. This was done 20 years ago in the movie "The Net" by Anonymous Coward · · Score: 0

    Almost anyway. They hacked the medical database at the hospital so that the wrong drug was put in the infusion pump for Sandra Bullock's psychiatrist friend.
    http://en.wikipedia.org/wiki/The_Net_%281995_film%29