Slashdot Mirror
Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen
chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. "The only thing I needed to get in was an interest in the pump," he said. Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump's operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it. The problems prompted Richards to call the PCA 3 pump "the least secure IP enabled device" he has ever worked with.
I work in animal health care and I don't see devices like this... nothing even freaking close. Truly stunning security was this lax.
There are only 10 kinds of people in the world. Those that understand binary and those that don't.
Look, this is a medical device. People carry it around with them.
Actually, I believe it's meant for use in a hospital, not to be carried around.
Next time they put me on morphine, I am so hacking into this... :^D
Well yeah. Duh. And it's cue, not queue.
Unless you are building a queue of lawsuits. If the pump is fairly common in the health care industry, that could be the case.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Did you miss the bit where it said that it has wifi?
You can also exploit the thing by opening it up and cutting wires.
Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.
Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.
Once your opponent has physical access to the sensitive medical devices that keep you alive, you're fucked. He could just as well put bleach in the insulin bag.
Except that it has an Ethernet port. With an open Telenet. On a PCA pump (Patient Controlled Analgesia - a morphine drip). Which can kill the patient with the wrong dose.
Oops.
I think that, in 2015, one can reasonably expect the rudiments of security with a machine designed to deliver accurate quantities of a potentially fatal drug. Sure, it doesn't need to be hardened against every potential exploit but an open telenet port? That's pretty weak sauce. Aside from potentially killing a patient, an addicted nurse / tech (I was going to say doctor but they typically wouldn't know a telenet port if it went up and bit them in the nose) could potentially use this to siphon off the drug for their own use. The things have various locks and passwords to prevent that exact thing from happening.
Faster! Faster! Faster would be better!
Since it's storing local wireless keys on the device, I can only assume it has a wireless network interface and is intended to be connected for remote monitoring/administration.
These are not patient-portable devices. They attach to an IV pole and control delivery of whatever drug is fed from the bag. They're modular, so they get mixed and matched from pole to pole (and presumably some stash on the ward) as necessary. They are not isolated; they communicate with other systems on the ward so that, for example, the nurse can come by and check on the patient when the bag is empty.
Getting access to one of these wouldn't necessarily be that hard. Go to the ER with something that will get them to give you IV fluid and you'll find yourself left alone with one of these pumps. Install a worm and over time you'll have a lot of devices at your command and perhaps have gathered a lot of information into the bargain.
Graham
Dependency management.
It was bad enough trying to get people not to link in 3rd party libraries they didn't need - these devices roll in a whole OS-worth of dependencies and no-one even bothered to check what they were. I'm not surprised these manufacturers screw up so much since they have meetings that go like this:
"So, Jack, we need to spin up the dev team really quick on this. The HW specs are almost complete for the drug pump and the ICs are in prototype."
"Yeah, we just don't know if if's CPU A or CPU B though and..."
"Don't worry about that we can hedge with the distro."
"Shall we just get them prototyping on Ubuntu?"
"Sure...let's just get them rolling so we can meet the spec for 3 months out. Just use the desktop one for now and we can port the major parts later."
[6 months later]
"Jack. We're 3 months behind now and marketing want something to evaluate. Ideas?"
"Well...Brian had a CL that mostly gets something interesting going. We could go with that cut?"
"Has it been evaluated for conformance?"
"Testing is 75% implemented with some flakes, but it's all green on nightly runs. We can bring that to mainline branch by the middle of nex..."
"We can do that in parallel. We'll give it to marketing as a tentative and eval for customer experience only."
[9 months later]
"Marketing were impressed. It looks pretty good to go so far, how are the bugs?"
"...why are we losing developers?"
"Oh, marketing took the demo to the board for an investor presentation. We're going to spin up a new dev team to finalize the specification on a new product."
"...but...that's not the product. Anyway, why are we losi..."
"The board doesn't think it needs that much more, really, it looks pretty good. It's okay, we can head them off from the production line. The hardware is pretty final right now so we'll just bring the firmware up at the end of the line."
[12 months later]
"Marketing are still looking for the gold cut on the approved SW release. Any news on that?"
"Wait, what? We've been working on a new can opener."
"..."
[13 months later]
"So, the board is happy with the can opener but we can probably open more markets if we include cloud technology."
"..."
[24 months later]
"Oh shit, did we release the update on the firmware?"
"Shit."
Hopefully it ships with the man page...
The problem is that somebody else can get to the supply. The system goes through a lot of trouble to make sure somebody doesn't siphon off the drug. Getting into the guts of the machine, bypassing the log functions and bog knows what else might be very tempting to the right person. All the more so since the pumps are used all of the time - you could have a good supply of your favorite narcotic.
I give it a couple of weeks before a simple exploit gets published somewhere.
Faster! Faster! Faster would be better!
Don't forget about the wifi connection.
Is supposed to be the extensive testing and super security the industry is so renowned for.
2. 1337 satisfaction < pain
slashcode ate my <
The issue is that you can connect to it wirelessly, and command it to give lethal doses of drugs remotely... That's pretty frickin bad ;)
It's even easier. You just shut it off and pull the drug while they're sleeping.
My dad had that happen at least once during a weeks long hospital stay. They took forever figuring out how to get him more morphine... as he'd already been prescribed and there are at least reasonable safeguards on the overprescription side.
They even had an idea who it was, as missing drugs was a problem in that ward. They didn't do anything, just said "watch out for that guy". I'm sure they eventually caught him... it's extremely likely someone like that is going to make a mistake... but he sure was hurting a lot of people along the way. The hospital sure could have tried harder to catch him.
Shows that any OS can be made insecure by incompetent moron administrators/users or, likely in this case, PHBs.
"Be particularly skeptical when presented with evidence confirming what you already believe." -
Truth.
At my last job, I was talking about the input validation that I'd created on a web application. My PHB asked why I had done that, since the client hadn't asked for it.
If I could include pictures with a Slashdot post, it would be the Jackie Chan "My Brain Is Full Of Fuck" meme.
Never underestimate the power of stupid people in large groups.