Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen

Posted by samzenpus on from the bottom-of-the-barrel dept.

chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. "The only thing I needed to get in was an interest in the pump," he said. Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump's operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it. The problems prompted Richards to call the PCA 3 pump "the least secure IP enabled device" he has ever worked with.

3 of 83 comments (clear)

  1. Re:I don't understand the big deal by ColdWetDog · · Score: 4, Insightful

    You can also exploit the thing by opening it up and cutting wires.

    Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.

    Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.

    Once your opponent has physical access to the sensitive medical devices that keep you alive, you're fucked. He could just as well put bleach in the insulin bag.

    Except that it has an Ethernet port. With an open Telenet. On a PCA pump (Patient Controlled Analgesia - a morphine drip). Which can kill the patient with the wrong dose.

    Oops.

    I think that, in 2015, one can reasonably expect the rudiments of security with a machine designed to deliver accurate quantities of a potentially fatal drug. Sure, it doesn't need to be hardened against every potential exploit but an open telenet port? That's pretty weak sauce. Aside from potentially killing a patient, an addicted nurse / tech (I was going to say doctor but they typically wouldn't know a telenet port if it went up and bit them in the nose) could potentially use this to siphon off the drug for their own use. The things have various locks and passwords to prevent that exact thing from happening.

    --
    Faster! Faster! Faster would be better!
  2. Re:CGI in a drug pump? by Anonymous Coward · · Score: 5, Insightful

    Dependency management.

    It was bad enough trying to get people not to link in 3rd party libraries they didn't need - these devices roll in a whole OS-worth of dependencies and no-one even bothered to check what they were. I'm not surprised these manufacturers screw up so much since they have meetings that go like this:

    "So, Jack, we need to spin up the dev team really quick on this. The HW specs are almost complete for the drug pump and the ICs are in prototype."
    "Yeah, we just don't know if if's CPU A or CPU B though and..."
    "Don't worry about that we can hedge with the distro."
    "Shall we just get them prototyping on Ubuntu?"
    "Sure...let's just get them rolling so we can meet the spec for 3 months out. Just use the desktop one for now and we can port the major parts later."

    [6 months later]

    "Jack. We're 3 months behind now and marketing want something to evaluate. Ideas?"
    "Well...Brian had a CL that mostly gets something interesting going. We could go with that cut?"
    "Has it been evaluated for conformance?"
    "Testing is 75% implemented with some flakes, but it's all green on nightly runs. We can bring that to mainline branch by the middle of nex..."
    "We can do that in parallel. We'll give it to marketing as a tentative and eval for customer experience only."

    [9 months later]

    "Marketing were impressed. It looks pretty good to go so far, how are the bugs?"
    "...why are we losing developers?"
    "Oh, marketing took the demo to the board for an investor presentation. We're going to spin up a new dev team to finalize the specification on a new product."
    "...but...that's not the product. Anyway, why are we losi..."
    "The board doesn't think it needs that much more, really, it looks pretty good. It's okay, we can head them off from the production line. The hardware is pretty final right now so we'll just bring the firmware up at the end of the line."

    [12 months later]

    "Marketing are still looking for the gold cut on the approved SW release. Any news on that?"
    "Wait, what? We've been working on a new can opener."
    "..."

    [13 months later]
    "So, the board is happy with the can opener but we can probably open more markets if we include cloud technology."
    "..."

    [24 months later]
    "Oh shit, did we release the update on the firmware?"
    "Shit."

  3. The excuse for insanely high med device prices by Applehu+Akbar · · Score: 3, Insightful

    Is supposed to be the extensive testing and super security the industry is so renowned for.