Slashdot Mirror

← Back to Stories (view on slashdot.org)

DHS: Drug Infusion Pumps Vulnerable To Trivial Hacks

Posted by samzenpus on from the maintaining-the-proper-dosage dept.

chicksdaddy writes with news of a DHS warning about the vulnerability of a popular brand of drug pumps. "The Department of Homeland Security warned that drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.

The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. DHS's Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory issued Tuesday that the MedNet software from the firm Hospira contains four critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.

The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios's discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps."

4 of 37 comments (clear)

  1. Hacking galore ! by Taco+Cowboy · · Score: 2

    It's not only the infusion pumps can be easily hacked, pace makers can also be hacked, as well as a zillion types of other medical equipments

    This is not all --- with the advent of the IoT (Internet of Things) and that average homes gonna be populated with devices that can be remotely connected, it will be a hacking galore for those who are savvy with technology

    --
    Muchas Gracias, Señor Edward Snowden !
  2. They should have used a NoSQL database. by Anonymous Coward · · Score: 2, Funny

    Like the summary states, they experienced this problem because they used a SQL database.

    If they had used a NoSQL database instead, then none of this would have happened.

    When you use most NoSQL databases, you can't run into a problem like "a plaintext, hard-coded password for the SQL database".

    Why is that? Because most NoSQL database systems don't even support risky functionality like authentication.

    See, if you don't even need to provide a password to access the database, then you don't need to securely store this password. Since there's no password to be stored, there's no way it can be compromised.

    NoSQL is the only way to go in situations like these. NoSQL technology goes out of its way to remove functionality that can be easily exploited.

  3. Re:Makes you wonder . . . by Dr_Barnowl · · Score: 3, Informative

    The buck stops with management. They get the pay, they get the responsibility.

    Of course, they're the ones who assess performance as well. No way are they actually going to take the heat for that.

    So the story is : bad management. They're not putting in the appropriate checks and balances, probably because they cost money. They're not interested in making a good product, they want to pad their pay packets. So the buck goes all the way to the top, to the people who decide remuneration policies.

    If the software developers don't give a damn, they're not being selected or motivated appropriately by management.

    And this is one of the myriad reasons why bonus culture sucks.

  4. And the solution is .. by DougPaulson · · Score: 2

    And the solution is to not connect your Drug Infusion Pumps to the Intertubes !