Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen

← Back to Stories (view on slashdot.org)

Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen

Posted by samzenpus on Wednesday May 6, 2015 @11:47AM from the bottom-of-the-barrel dept.

chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. "The only thing I needed to get in was an interest in the pump," he said. Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump's operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it. The problems prompted Richards to call the PCA 3 pump "the least secure IP enabled device" he has ever worked with.

57 of 83 comments (clear)

Min score:

Reason:

Sort:

Unacceptable by ToxicBanjo · 2015-05-06 11:59 · Score: 2

I work in animal health care and I don't see devices like this... nothing even freaking close. Truly stunning security was this lax.

--
There are only 10 kinds of people in the world. Those that understand binary and those that don't.
1. Re:Unacceptable by penguinoid · 2015-05-06 18:11 · Score: 1
  
  I know, right? I mean, just the other day I saw a computer for sale with a serious security vulnerability that could result in the computer being destroyed. Anyone with physical access and a high school student's hacking skills could hit the computer with an axe until it stopped working.
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
2. Re:Unacceptable by TheReaperD · 2015-05-06 19:00 · Score: 1
  
  Yes, but in that case the "hacker" can kill the computer but, could not use that computer to kill you.
  
  --
  "Be particularly skeptical when presented with evidence confirming what you already believe." -
3. Re:Unacceptable by penguinoid · 2015-05-06 19:55 · Score: 1
  
  Anyone with physical access to you can kill you, and anyone with physical access to many types of medical equipment could set things up so someone else will kill you with it (eg poisoning).
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
4. Re:Unacceptable by OneSizeFitsNoone · 2015-05-07 02:16 · Score: 1
  
  Could this be done over a network?
5. Re:Unacceptable by ArsenneLupin · 2015-05-07 02:20 · Score: 1
  
  Yes, but in that case the "hacker" can kill the computer but, could not use that computer to kill you.
  He could drop it on you...
6. Re:Unacceptable by cusco · 2015-05-07 03:15 · Score: 1
  
  You may have missed the The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it.
  Once you're on the medical wireless network you now have access to **ALL** the other equally insecure PCA devices connected to it. You see, you don't need to even change any settings on your pump to get access to everyone else's pump. For something like a morphine pump I can see a market opportunity for someone who can adjust one's settings at will. For an insulin pump, well there may be prospective heirs interested in making adjustments as well . . .
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
7. Re:Unacceptable by cusco · 2015-05-07 04:43 · Score: 1
  
  I work in physical security (key cards, security cameras, alarm systems, etc.) had have seen plenty of stuff this bad. For six years one of the highest quality megapixel IP security cameras on the market had a single user, "root", with a password of "system" that you could not change. Two others had only root or admin as users and you could only configure a 4 character lower-case alpha password (raised to 6 characters in a later firmware release). The absolute worst I've ever seen was Cisco's abortion of a system.
  I was in the training class at Cisco's headquarters, training to do our first (and fortunately only) deployment of this abysmal system. I had recently acquired a new port scanner and was playing with it on a break in the class, so pointed it at the encoder. Oh, Port 23 is open, let's see what I can do. Opened a telnet session, typed 'whoami', and it replied 'root'. I was so shocked I said "Holy crap!" loud enough to attract the instructor's attention. When I explained what I had found he didn't seem to think it was much of an issue, even though he was a Cisco lifer who had been around the company almost since the beginning. His exact quote was, "Well, since you're going to run the application on its own private network there won't be any issues." The entire class informed him what life in the real world was like.
  The application server was a Windows Server 2003 box with **NO** updates because Service Pack 1 broke the application. You had to log into it as Administrator to do anything. End users had to be administrators on their PCs to run the client, even though it ran in a web browser. It would run under XP SP1, but one of the later Windows updates broke the client so you couldn't update them either. As bad as all that was, the whole application did not follow any of the standard paradigms for viewing security video, it looked like a bunch of programmers got together and said, "If I wanted to view security video how would I want it to look?"
  Now I see that Cisco has it's own access control system as well, I can only imagine what a clusterfuck that thing will be.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Re:Gee... by ToxicBanjo · 2015-05-06 12:05 · Score: 1

Linux

--
There are only 10 kinds of people in the world. Those that understand binary and those that don't.
CGI in a drug pump? by abulafia · 2015-05-06 12:05 · Score: 1

That's frickin' amazing. I can't wait to hear about drug pumps spamming from formail.cgi.

--
I forget what 8 was for.
1. Re:CGI in a drug pump? by Anonymous Coward · 2015-05-06 12:41 · Score: 5, Insightful
  
  Dependency management.
  It was bad enough trying to get people not to link in 3rd party libraries they didn't need - these devices roll in a whole OS-worth of dependencies and no-one even bothered to check what they were. I'm not surprised these manufacturers screw up so much since they have meetings that go like this:
  "So, Jack, we need to spin up the dev team really quick on this. The HW specs are almost complete for the drug pump and the ICs are in prototype."
  "Yeah, we just don't know if if's CPU A or CPU B though and..."
  "Don't worry about that we can hedge with the distro."
  "Shall we just get them prototyping on Ubuntu?"
  "Sure...let's just get them rolling so we can meet the spec for 3 months out. Just use the desktop one for now and we can port the major parts later."
  [6 months later]
  "Jack. We're 3 months behind now and marketing want something to evaluate. Ideas?"
  "Well...Brian had a CL that mostly gets something interesting going. We could go with that cut?"
  "Has it been evaluated for conformance?"
  "Testing is 75% implemented with some flakes, but it's all green on nightly runs. We can bring that to mainline branch by the middle of nex..."
  "We can do that in parallel. We'll give it to marketing as a tentative and eval for customer experience only."
  [9 months later]
  "Marketing were impressed. It looks pretty good to go so far, how are the bugs?"
  "...why are we losing developers?"
  "Oh, marketing took the demo to the board for an investor presentation. We're going to spin up a new dev team to finalize the specification on a new product."
  "...but...that's not the product. Anyway, why are we losi..."
  "The board doesn't think it needs that much more, really, it looks pretty good. It's okay, we can head them off from the production line. The hardware is pretty final right now so we'll just bring the firmware up at the end of the line."
  [12 months later]
  "Marketing are still looking for the gold cut on the approved SW release. Any news on that?"
  "Wait, what? We've been working on a new can opener."
  "..."
  [13 months later]
  "So, the board is happy with the can opener but we can probably open more markets if we include cloud technology."
  "..."
  [24 months later]
  "Oh shit, did we release the update on the firmware?"
  "Shit."
I don't understand the big deal by Anonymous Coward · 2015-05-06 12:05 · Score: 1

You can also exploit the thing by opening it up and cutting wires.
Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.
Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.
Once your opponent has physical access to the sensitive medical devices that keep you alive, you're fucked. He could just as well put bleach in the insulin bag.
1. Re:I don't understand the big deal by Quick+Reply · 2015-05-06 12:09 · Score: 1
  
  Yes, exactly right
2. Re:I don't understand the big deal by R3d+M3rcury · 2015-05-06 12:10 · Score: 4, Funny
  
  Look, this is a medical device. People carry it around with them.
  Actually, I believe it's meant for use in a hospital, not to be carried around.
  Next time they put me on morphine, I am so hacking into this... :^D
3. Re:I don't understand the big deal by cheater512 · 2015-05-06 12:19 · Score: 3, Informative
  
  Did you miss the bit where it said that it has wifi?
4. Re:I don't understand the big deal by ColdWetDog · 2015-05-06 12:21 · Score: 4, Insightful
  
  You can also exploit the thing by opening it up and cutting wires.
  Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.
  Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.
  Once your opponent has physical access to the sensitive medical devices that keep you alive, you're fucked. He could just as well put bleach in the insulin bag.
  Except that it has an Ethernet port. With an open Telenet. On a PCA pump (Patient Controlled Analgesia - a morphine drip). Which can kill the patient with the wrong dose.
  Oops.
  I think that, in 2015, one can reasonably expect the rudiments of security with a machine designed to deliver accurate quantities of a potentially fatal drug. Sure, it doesn't need to be hardened against every potential exploit but an open telenet port? That's pretty weak sauce. Aside from potentially killing a patient, an addicted nurse / tech (I was going to say doctor but they typically wouldn't know a telenet port if it went up and bit them in the nose) could potentially use this to siphon off the drug for their own use. The things have various locks and passwords to prevent that exact thing from happening.
  
  --
  Faster! Faster! Faster would be better!
5. Re:I don't understand the big deal by aXis100 · 2015-05-06 12:21 · Score: 3, Interesting
  
  Since it's storing local wireless keys on the device, I can only assume it has a wireless network interface and is intended to be connected for remote monitoring/administration.
6. Re:I don't understand the big deal by grahamwest · 2015-05-06 12:29 · Score: 2
  
  These are not patient-portable devices. They attach to an IV pole and control delivery of whatever drug is fed from the bag. They're modular, so they get mixed and matched from pole to pole (and presumably some stash on the ward) as necessary. They are not isolated; they communicate with other systems on the ward so that, for example, the nurse can come by and check on the patient when the bag is empty.
  Getting access to one of these wouldn't necessarily be that hard. Go to the ER with something that will get them to give you IV fluid and you'll find yourself left alone with one of these pumps. Install a worm and over time you'll have a lot of devices at your command and perhaps have gathered a lot of information into the bargain.
  
  --
  Graham
7. Re:I don't understand the big deal by Anonymous Coward · 2015-05-06 12:30 · Score: 1
  
  Except I can fuck you two ways to sunday, wirelessly. All because someone couldn't find the fucking time to secure that telnet.
  I don't mind someone having to plug a cable in. That I can veto, I can't veto someone in the next building trying to kill me, or god forbid getting killed by a script just scanning along.
8. Re:I don't understand the big deal by Anonymous Coward · 2015-05-06 12:56 · Score: 1
  
  As you say, an open telnet port accessible from an unauthenticated ethernet port, cleartext keys for the wifi through which unauthenticated CGI configuration is available, are pretty poor by any standards, not just 2015.
  I've seen some pretty staggeringly poor security on medical equipment and medical software - one of the classics is an electronic medical record software package (still in use) which uses a Vigenere cipher to encrypt user passwords in the database, but for some bizarre reason, the client software downloads the whole users table and caches it as a local CSV file (presumably to reduce the number of SQL queries on the database server, as some sort of ill thought-out performance optimization).
9. Re:I don't understand the big deal by by+(1706743) · 2015-05-06 13:01 · Score: 2
  
  Hopefully it ships with the man page...
10. Re:I don't understand the big deal by dbIII · 2015-05-06 13:09 · Score: 1
  
  I was going to say doctor but they typically wouldn't know a telenet port
  Amusing misspelling but it highlights that hardly anyone has heard of telnet, however anyone that wants to exploit these things could learn enough in less than half an hour.
  I also think the developers could have learnt better than to use it in half an hour but maybe it was cut and pasted code. The original Nintendo DS had enough grunt to run full ssh with a far less impressive CPU than these devices have so there is no excuse.
11. Re:I don't understand the big deal by viperidaenz · 2015-05-06 13:30 · Score: 2
  
  Don't forget about the wifi connection.
12. Re:I don't understand the big deal by just+another+AC · 2015-05-06 13:39 · Score: 1
  
  Next time they put me on morphine, I am so hacking into this... :^D
  And when you cause that overflow and your morphine level goes to -1 and you lose all your pain relief, I hope the doctors and nurses take their sweet time fixing it. You will then learn:
  1. Just because you can, doesn't mean you should. Curiosity and knowledge come at a price, and you must be prepared to pay that.
  2. 1337 satisfaction pain
  3. The medical staff are busy enough without some patient trying to break their equipment.
13. Re:I don't understand the big deal by just+another+AC · 2015-05-06 13:41 · Score: 2
  
  2. 1337 satisfaction < pain
  slashcode ate my <
14. Re:I don't understand the big deal by beelsebob · 2015-05-06 13:41 · Score: 2
  
  The issue is that you can connect to it wirelessly, and command it to give lethal doses of drugs remotely... That's pretty frickin bad ;)
15. Re:I don't understand the big deal by AJWM · 2015-05-06 16:17 · Score: 1
  
  Telenet was a dial-up access packet-switched network (think X.25) back before internet access was a common thing, similar to rival company Tymnet. I spent many, many hours on Telenet back in the day, logged into BIX.
  You probably meant telnet, the *nix app which has been around even longer. When internet access became publicly available, I'd telnet into BIX (while it lasted, sigh).
  
  --
  -- Alastair
16. Re:I don't understand the big deal by SuricouRaven · 2015-05-06 18:37 · Score: 1
  
  Is that as evil as you can get? You can kill people with this, from a long distance. Just make a worm, take ransom in bitcoins. You should be able to amass a tidy sum in the few days it takes to get every pump in the country disconnected and replaced.
17. Re:I don't understand the big deal by TheReaperD · 2015-05-06 19:04 · Score: 1
  
  I don't know. That's a competition between ego and pain tolerance. By the time the pain tolerance loses the ego may have already won.
  
  --
  "Be particularly skeptical when presented with evidence confirming what you already believe." -
18. Re:I don't understand the big deal by Hognoxious · 2015-05-06 22:05 · Score: 1
  
  It's now a Belgian ISP. As is Skynet...
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
19. Re:I don't understand the big deal by Grishnakh · 2015-05-07 02:22 · Score: 1
  
  Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.
  Wrong.
  These devices (and lots more medical devices) are now all being WiFi-enabled, so that they can be monitored from the central nursing station. These devices keep people alive, so just waiting until it breaks and you find the patient lying on the floor somewhere isn't good enough; they have to be actively monitored.
20. Re:I don't understand the big deal by Mariner28 · 2015-05-07 05:13 · Score: 1
  
  Current hysteria sounds like assassins can use the pump to kill their targets and avoid discovery, which unless answers are "yes" and "yes" is false, or at least no worse than current medical devices.
  Maybe the pump is crap, but the security researcher here is more crap, and /. peanut gallery is worst crap.
  That is in fact what the researcher is saying - the answers are yes and yes. By simply gaining access to any configured PCA pump, whether it's in hospital inventory, on any patient (including an attacker admitted as a patient), an attacker can remotely manipulate any identical PCA pump on the "secure" wireless network. And as others have said, since these pumps generally dispense opioid pain killers, it would be trivial to kill most any patient attached to one.
  What you're advocating is security by obscurity. Since this flaw is no longer obscure, the pump is no longer secure. Oh God, I'm channeling Johnny Cochran during the OJ trial.
  
  --
  "A little misunderstanding? Galileo and the Pope had a little misunderstanding."
Re:Queue the lawsuit... by Anonymous Coward · 2015-05-06 12:10 · Score: 1

Well yeah. Duh. And it's cue, not queue.
my mother-in-law mysteriously went into a coma by turkeydance · 2015-05-06 12:13 · Score: 1

the coroner has no clue.
1. Re:my mother-in-law mysteriously went into a coma by viperidaenz · 2015-05-06 13:32 · Score: 1
  
  It was a good thing you had the new version of her will notarized last week.
Re:Queue the lawsuit... by turkeydance · 2015-05-06 12:15 · Score: 1

cute.
Re:Queue the lawsuit... by damn_registrars · 2015-05-06 12:17 · Score: 3, Funny

Well yeah. Duh. And it's cue, not queue.
Unless you are building a queue of lawsuits. If the pump is fairly common in the health care industry, that could be the case.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Re:Queue the lawsuit... by Livius · 2015-05-06 12:40 · Score: 1

Well, you cue several lawsuits to queue up.
Sounds as insecure as some phone systems by dbIII · 2015-05-06 13:02 · Score: 1

Sounds as insecure as some phone systems - but much more of a worry.
Sounds like development on the cheap and pocket the profits for selling the niche product for a fortune.
Re:PCA, Patient Controlled Analgesics by ColdWetDog · 2015-05-06 13:10 · Score: 2

The problem is that somebody else can get to the supply. The system goes through a lot of trouble to make sure somebody doesn't siphon off the drug. Getting into the guts of the machine, bypassing the log functions and bog knows what else might be very tempting to the right person. All the more so since the pumps are used all of the time - you could have a good supply of your favorite narcotic.
I give it a couple of weeks before a simple exploit gets published somewhere.

--
Faster! Faster! Faster would be better!
Re:Queue the lawsuit... by Immerman · 2015-05-06 13:11 · Score: 1

Nice. Of course then it should have been "Queue the lawsuit s ".

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
The excuse for insanely high med device prices by Applehu+Akbar · 2015-05-06 13:36 · Score: 3, Insightful

Is supposed to be the extensive testing and super security the industry is so renowned for.
1. Re:The excuse for insanely high med device prices by phantomfive · 2015-05-06 18:41 · Score: 1
  
  They are high because of the FDA approval process, which is long and expensive, but doesn't entirely relate to reality.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:The excuse for insanely high med device prices by Anonymous Coward · 2015-05-06 19:07 · Score: 1
  
  You pay for documentation and audits of documentation and work flows. Noone acually checks what the hell you put in your device, but damn you if you don't do waterfall work flow if your documents says you do.
  I worked as a software developer on an intensive care unit.
Re:PCA, Patient Controlled Analgesics by cdrudge · 2015-05-06 13:38 · Score: 1

If you're going to steal the drugs, you're just going to slip into the room, snip the tube, and walk out with the bottle of narcotics. You're not going to bother to hack the system so that it doses out an extra mg or two for you to siphon off. Even if you did manage to bypass any other hurdles and got the machine to dose out more than it was suppose to, at most you'd get fairly limited supply before they realized they went through a bottle of narcotics far faster than the machine should have been administrating it.
Re:Queue the lawsuit... by beelsebob · 2015-05-06 13:40 · Score: 1

No, queueing the lawsuit would still be valid - it would be the act of adding that one single lawsuit to the queue.
Re:PCA, Patient Controlled Analgesics by darronb · 2015-05-06 13:51 · Score: 2

It's even easier. You just shut it off and pull the drug while they're sleeping.
My dad had that happen at least once during a weeks long hospital stay. They took forever figuring out how to get him more morphine... as he'd already been prescribed and there are at least reasonable safeguards on the overprescription side.
They even had an idea who it was, as missing drugs was a problem in that ward. They didn't do anything, just said "watch out for that guy". I'm sure they eventually caught him... it's extremely likely someone like that is going to make a mistake... but he sure was hurting a lot of people along the way. The hospital sure could have tried harder to catch him.
Not surprising! by Anonymous Coward · 2015-05-06 14:53 · Score: 1

As a former employee of Hospira who was outsourced (after starting from day 1 and working there for 6 years) - I am not surprised. Moving all IT and development offshore was going to have its consequences, and reading this makes me gloat.
Re:PCA, Patient Controlled Analgesics by Harlequin80 · 2015-05-06 16:08 · Score: 1

I had a PCA hooked up after having my broken my collar bone and shattered my wrist re-assembled. The method for me to get a shot of morphine was to simply push a button. The system was set that I could only get a certain number of presses per hour.
That said I didn't use the button at all. They had given me oral painkillers and I was fine with those for the 8 hours I had to wait before they let me go home. For the most part I was just seriously bored. My entertainment was my laptop and watching tv shows on it. It would have been trivial for me to connect an Ethernet cable and mess away.
Re:Queue the lawsuit... by arglebargle_xiv · 2015-05-06 17:58 · Score: 1

Well yeah. Duh. And it's cue, not queue.
Unless you are building a queue of lawsuits
I think the OP was referring to a queue of landsharks in suits lining up to sue.
Re:Gee... by TheReaperD · 2015-05-06 18:56 · Score: 2

Shows that any OS can be made insecure by incompetent moron administrators/users or, likely in this case, PHBs.

--
"Be particularly skeptical when presented with evidence confirming what you already believe." -
Re:Gee... by TheReaperD · 2015-05-06 18:59 · Score: 1

*moronic... dammit. I know why Slashdot doesn't have an edit feature but, I hate it also.

--
"Be particularly skeptical when presented with evidence confirming what you already believe." -
Oblig. response by maestroX · 2015-05-06 20:52 · Score: 1

not a bug, it's a feature ;)
Re:Queue the lawsuit... by Alien1024 · 2015-05-06 21:55 · Score: 1

Cue the class action
Re:Gee... by BVis · 2015-05-07 00:06 · Score: 2

Truth.
At my last job, I was talking about the input validation that I'd created on a web application. My PHB asked why I had done that, since the client hadn't asked for it.
If I could include pictures with a Slashdot post, it would be the Jackie Chan "My Brain Is Full Of Fuck" meme.

--
Never underestimate the power of stupid people in large groups.
And yet... by skovnymfe · 2015-05-07 01:58 · Score: 1

And yet, the stock price is at an all-time high. Must be all the media attention!
Re:Queue the lawsuit... by OneSizeFitsNoone · 2015-05-07 02:19 · Score: 1

...2...1...ERROR: page boundary violation at 0x3ed57a09000e
Dumping process state in: /var/log/sys/{$$83456/xdfetklasfhj526%dkgi}...