Slashdot Mirror
Over 1,400 Vulnerabilities Found In Automated Medical Supply System
An anonymous reader writes: Security researchers have discovered 1,418 vulnerabilities in CareFusion's Pyxis SupplyStation system -- automated cabinets used to dispense medical supplies -- that are still being used in the healthcare and public health sectors in the US and around the world. The vulnerabilities can be exploited remotely by attackers with low skills, and exploits that target these vulnerabilities are publicly available. Things already seem to be getting out hand.
But only if you put an APP in your APP so you can APP while you APP.
Medical and healthcare companies consistently seem to have *no idea* whatsoever about security, and *no idea* that they actually need to hire someone who knows security.
Anything with a computer in it needs to take into account security. If you're putting code into your product and don't know security and aren't hiring someone who does, you're doing it wrong. Medical devices, cars, even Bluetooth toilets. If it communicates with the outside world or is exposed to users who aren't authorized full control over the device, it needs security. If you don't do it, your product is a ticking time bomb waiting for a researcher, if you're lucky, or a malicious attacker, if you aren't, to notice the lack of security. This will keep happening until everyone gets the message.
Things already seem to be getting out hands.
Getting or giving? Big difference.
On a completely unrelated note, I could use a hand.
Have you ever fallen asleep at the keybhanusdiog?
You should've done an Easter special post on Sunday... like:
If these LUDDITES used eggs instead of LUDDITE software, everything would be 100% eggy, because only eggs can egg eggs!
Eggs!
No Shit sherlock.
Windows XP and Windows 2003 systems are prone to all sorts of horrible security flaws. Reading the Fucking Article I see that the newer, non EOL, equipment isn't prone to any of these problems.
I wonder how many vulnerabilities are in older Cisco routers that haven't been patched since 2007?
Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
I worked at a competitor of Pyxis who created similar automated drug dispensing cabinets, and the market research at the time was that they all were pretty insecure. When I left my company they were dealing with a defect where anyone with a screwdriver could bypass the locking mechanism of our newest model (meant for the area where the schedule 2 drugs were kept).
At the time (almost 10 years ago) these devices were meant to help with inventory management, not to be ultra-secure safes. Anyone with even moderate training using these devices could steal drugs if they wanted. Most thieves were caught only because of the sheer volume of drugs they stole over months or even years.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
The submitter should scan his system. He may have that evil keyboard-changer joke infection that wasn't supposed to be released until this Friday (March 32nd).
What if you want to APP while you CRAP?
Because, well, just because.
. . . . year or two back, my oldest daughter entered a program to learn the "EPIC" medical records system. Now, admittedly, we're a geekhaus, my daughters were doing computers at age 5, and my youngest managed to hack the oldest by examining her browser cache at age 8.
But she came back from the first day or two of training, shaking HER head. Not only was there no folder security, but, at least as configured there, every user was an admin.. Each of which could mess with another's files and account settings.
Worse still, they were being trained at the site where the system was being hosted for production. No physical security. No backup power: in fact, zero redundancy whatsoever. And data backup ? "What's that ?"
She wrote up a 2-page summary of problems SHE saw (and her training was in Medical Administration, although she DID learn Security from me. . .). She sends it to the POC at the Hospital the system was in the process of being installed for. . . .and the EPIC people dropped her from the course.
There's a cherry on the top of this Sundae of Fail: she was eventually hired by the Hospital as, surprisingly enough, a Ward Medical Admin. And the IT Department comes to HER for help and suggestions. . . .
"The vulnerabilities can be exploited remotely by attackers with low skills"
Then what the f**k are these devices doing even directly connected to the public Internet?
I hate it when things get out hands.
Oh... who doesn't APP while they CRAP?
"Things already seem to be getting out hands."
Wouldn't want raiders and minutemen unable to access medical supplies locked in a secure machine
Does MUMPS even do security or does it need root / admin to run at all?
I saw this guy driving a pickup truck yesterday that said "ZOMBIE RESPONSE TEAM" on the side.
3rd party vendors control devices in hospitals and by control it can be way more then just IT control of them.
You people are APP'ING CRAZY!
you just can't app the app! You need to load the app for that.
I take no responsibility for what I say. Even though I'm never wrong
This is why I don't feel like my expertise is a frivolous cost, no matter how many times corporations try to tell me that.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
I don't know about you, but I'd be proud as hell if I'd managed to write an application that had 1400+ vulnerabilities.
It must have taken a lot of work and testing to make sure it was that porous and vulnerable. I mean, just think of all the work involved in taking out all of the bounds checking, sanity tests, input validation, error checking, etc etc.
IF ($INPUT){
GRANT FULL ADMIN SUPERUSER ACCESS OMG;
}ELSE{
GRANT FULL ADMIN SUPERUSER ACCESS OMG;
}
Just cruising through this digital world at 33 1/3 rpm...
Pyxis (& similar supply cabinets) were primarily concerned with keeping unauthorized staff from taking prescription drugs from the cabinets and properly documenting the authorized clinicians who did access drugs.
From what I've heard hear in this post, it seems security mostly stopped at that level of clinician access limitations.
How long until someone gets hospitalized, hacks their own medicine dispenser in a harmless yet threatening way and then sues the hospital for millions? That might easily end up being far more lucrative (and, possibly, easier?) than ransomware-ing the place...
Obamacare has nothing to do with this story at all, but don't let that stop you from getting your dig in on big government: The issue here is entirely 100% due to the war on some drugs and the government telling everyone what they can and can't put in their bodies.
I've seen this problem in many organizations run by people who consider themselves to be in a "profession" like doctors, lawyers, and to a varied extent anyone with a non-computer PhD. The attitude seems to be that "I am smart, so I can figure this out without paying someone who knows what they're doing, and I'll do a better and less expensive job." This applies to many aspects of running an organization, with IT and finance/budget being two very egregious areas. I've seen many a small R&D company fail because its principle owners/operators try to do the finance/budget side after the company has become larger than a couple of people, and lots of computer security issues in companies where this "we can do it all" attitude holds sway. They can't quite see that people pay them for their expertise, so why should they balk at paying other people for expertise they don't themselves have. I've been expecting a security meltdown at hospitals and medical facilities ever since the big money pushed in a few years ago by the Government to drag medical IT into at least the last decade of the 20th century. This will be quite the roller-coaster ride.
giving out head?
Carefusion just buys other companies, e.g., ventilator companies.
Not surprising they don't care about security (or safety of ventilators, look it up).
Internet of critical sh*t.
Apparently "security researchers" now means "anybody who can run a Nessus scan. I am disappointed.
CRAP... I don't want to clean up the mess when somebody does a knee jerk reaction and jumps first (without looking at downstream dependencies)
As someone supporting one of the largest integrated health systems in world, I'd say part of the issue is that there is tremendous pressure to keep costs low across the healthcare industry (expect for maybe the drug makers), and this creates tremendous pressure to deliver "functionality" at the expense of non-functional things, such as security. I'm amazed constantly the lack of quality that comes from the IT products in this industry. Riddles with security holes. While I'd like to say it's something as simple as "get the developers to write better more secure code" there seems to be a cultural thing across the industry at the executive management level that whenever quality and security are brought up there seems to be an acceptance it takes a back seat to functionality, as this all costs money, something that they're unwilling or unable (budgetary) to spend. Unfortunate.
Security-through-obscurity
SupplyStations are usually located in remote/very small medical facilities and DID NOT utilize the Supply Station server at the care facility. Most of the ones I encountered used a dialup modem to communicate with a 3rd party pharmacy or other billing party every 15-30 min. SS Servers were located in pharmacies, more on them below. To be fair, though, I don't know what if any, encryption they used in this specific implementation.
For the SSs having an actual LAN connection and SupplyStationServer onsite, the entire SupplyStation implementation was isolated on its own subnet and any outside communication was blocked, NATed, or over VPN to specific third parties including Cardinal Health/Carefusion support. I forget the name of their remote support software, but it's similar to Bomgar.
Getting physical access to these machines is pretty difficult at a facility. Nurses are pretty aggressive asking you who you are, what are you doing here and the machine are usually in locations where they congregate.
Carefusion support and engineers are typically excellent. HIPAA is a big deal and Carefusion doesn't like lawsuits any more than any other company.
[More on me, I was an affiliate/subcontractor for CF. I worked for a company holding a contract with CF. I made on average $11.50 an hour, no bennies with this company... They stopped trusting affiliates to use their remote support software 6mo after I started working for them (awesome). I didn't help with actual IT implementation unless it was to move a heavy thing from one place to another - the above is from conversations with CF engineers, facility IT staff, CF call center personnel, and hindsight illuminated by subsequent career experience ]
I thought I RTFA but I don't understand what the actual vulnerabilities are. I work in a hospital with hundreds, if not thousands of these (no idea if ours are EOL or not), but I can't figure out what the actual clinical implications of these vulnerabilities are (mostly because I can't see what what the vulnerabilities allow).
It hurts whenever I CRAP an APP.
Sleep your way to a whiter smile...date a dentist!