Slashdot Mirror
DHS: Drug Infusion Pumps Vulnerable To Trivial Hacks
chicksdaddy writes with news of a DHS warning about the vulnerability of a popular brand of drug pumps. "The Department of Homeland Security warned that drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.
The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. DHS's Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory issued Tuesday that the MedNet software from the firm Hospira contains four critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.
The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios's discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps."
The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. DHS's Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory issued Tuesday that the MedNet software from the firm Hospira contains four critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.
The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios's discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps."
The buck stops with management. They get the pay, they get the responsibility.
Of course, they're the ones who assess performance as well. No way are they actually going to take the heat for that.
So the story is : bad management. They're not putting in the appropriate checks and balances, probably because they cost money. They're not interested in making a good product, they want to pad their pay packets. So the buck goes all the way to the top, to the people who decide remuneration policies.
If the software developers don't give a damn, they're not being selected or motivated appropriately by management.
And this is one of the myriad reasons why bonus culture sucks.