In April, a security researcher disclosed a litany of severe vulnerabilities in the PCA3 drug-infusion pump manufactured by a company named Hospira. He went so far as to call the pump “the least secure IP enabled device I’ve ever touched in my life.” As it turns out, those same vulnerabilities exist in many of Hospira’s other pumps.
The story actually began nearly a year before researcher Jeremy Richards disclosed the vulnerabilities, an action that prompted the Food and Drug Administration to issue its first public security notice. In May 2014, researcher Billy Rios notified the Department of Homeland Security that he had discovered the same vulnerabilities in the PCA3 pump later disclosed by Richards, as well as some other bugs. Nothing ever came of Rios’s private disclosure and no patches have been published for the vulnerabilities at this point. Among the vulnerabilities in the PCA3 pump are n unauthenticated remote root shell and hard-coded local credentials that are open to easy brute-forcing.
But at the time of his initial discovery, Rios, who is well-known for his research on ICS, SCADA and devices, told Hospira officials that it would be a smart move to check their other products to see if they had any of the same vulnerabilities.
“In May of 2014, I recommended Hospira conduct an analysis to determine whether other infusion pumps within their product lines were affected. Five months after my request for a variant analysis, I received notification that Hospira was ‘not interested in verifying that other pumps are vulnerable’,” Rios said in a post Monday.
“Given the vendor refuses to conduct an analysis of other pumps that are affected by publically known security issues, I decided to independently purchase additional pumps and perform this analysis for them.”
The pumps that Rios bought are designed to deliver controlled doses of medication to patients on set schedules. He found that the Hospira Plum A+, PCA LifeCare and Symbiq pumps all run on the same software as the known-vulnerable PCA3 and PCA5, and are open to the same vulnerabilities.
“What I found was very interesting, many of Hospira’s infusion pumps utilize IDENTICAL SOFTWARE on their infusion pumps communications module, making them vulnerable to the exact same security issues associated with the PCA 3,” Rios said.
The bugs he found in these products include the ability to forge drug library updates on the pumps, an unauthenticated telnet shell to the communications module, hard coded service credentials among all the pumps, identical private keys across the devices, identical private certificates across the devices, and a host of unpatched software on the pumps that open them up to other vulnerabilities.
Rios said that, given all of the media attention that the previous disclosure of vulnerabilities in the Hospira pumps, it’s unrealistic to think the company didn’t know about the bugs in its other products.
“If we can’t trust medical device manufactures to be transparent about publicly known security issues and vendors like Hospira continue to harbor the, ‘we’d rather not know’ attitude towards security issues, we’ll have to find an alternative to medical device vulnerability analysis,” Rios said.