Vulnerability-Riddled Drug Pumps Open to Takeover

Hospira’s Lifecare PCA3 Drug Infusion pumps are susceptible to multiple remotely exploitable vulnerabilities that could not only brick the device but allow an attacker to run commands and put lives in jeopardy.

One medical device company’s line of drug pumps is so fraught with vulnerabilities that the researcher that discovered the flaws claims the pump is the least secure IP-enabled device he’s ever come across.

Certain versions of Hospira’s Lifecare PCA3 Drug Infusion pumps are susceptible to multiple remotely exploitable vulnerabilities that could not only brick the device, but with a little tweaking, also let attackers change the drug library they’re affiliated with, update the its software, and run commands.

“I would personally be very concerned if this device was being attached to me,” Jeremy Richards, a Software Security Engineer at the SAINT Corporation who dug up the bugs, wrote last week, “It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo.”

The affected pumps come configured with a default IP address, 192.168.0.100, that could be used by an attacker to extract wireless encryption keys, which are stored in plain text on the device. If an attacker had physical access to the device, they could not only gain access to the keys and compromise the pump, but by extension, any drug pumps in the hospital connected to its WiFi.

In a scenario Richards looked at he found WPA keys for the hospital’s wireless network on the pumps, unencrypted and in plain text, something that means that they could easily be accessed via Telnet and FTP and ultimately, if the devices were ever sold, cause a mess of trouble for the hospitals.

Richards, who blogs about security at HextechSecurity.com, discussed the pump’s failures last week. A CVE (CVE-2015-3459) for the issue, specifying that pumps running SW version 412 don’t require authentication for Telnet sessions and could allow remote attackers to gain root privileges via TCP port 23, was created at the National Vulnerability Database shortly after.

Richards claims that since the device has an exposed ethernet port a local physical attack could be carried out with an attack tool, like a specially rigged Raspberry Pi, in less than 5 seconds.

“This is a game-over vulnerability that allows an attacker with physical access to the device complete control over their own device,” Richards wrote.

Attackers can also glean information related to hard coded local accounts and on top of that, a server, AppWeb, that runs in tandem with the device suffers from its own separate vulnerabilities as well.

The issue is complicated by the fact that even if there was authentication present on the Telnet port, it wouldn’t help, since there are several web services, exposed CGIs “linkparams” and “xmmucgi,” that don’t require authentication which an attacker could exploit to “change the drug library, update software and run commands.”

As Richards points out in his blog, he’s contacted Hospira, the medical device company that manufactures the pumps, but it apparently has no plans to either recertify or patch the devices.

The issue is the second to plague the Illinois medical device firm in the last month.

In late March a similar flaw with the company’s Windows-based MedNet platform, divulged by noted device hacker Billy Rios, surfaced.

If exploited, Hospira’s MedNet server software could be used to push unauthorized modifications to medication libraries and pump configurations. Similar to the issue with the pumps, that issue stemmed from the fact that the software, which basically manages drug libraries and how certain medicine is doled out through the pumps, used hard-coded cryptographic keys that could be intercepted by hackers.

On Wednesday Hospira claimed it was aware of the issue and that it has conferred with its customers on how to address it.

“There are no instances of Hospira devices being breached in a clinical setting and Hospira has taken a proactive approach to address potential cybersecurity vulnerabilities,” Tareta Adams, a Hospira spokesperson said, adding that the company has had talks with the FDA and the Department of Homeland Security regarding device security.

“It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls,” Adams said.

This article was updated on May 7 to include comments from Hospira

Suggested articles

Discussion

  • Steve Wilson (@Steve_Lockstep) on

    This is so pathetic, it's hard to know where to start a sensible and actionable critique. So I won't. I'll just add fuel to the fire by suggesting that there's a systemic laziness in medical systems information security. I've seen a lot of it. Partly it's because engineers are often separated from the clinical side of things often called the "wet side"); partly it's because of the fatalism that healthcare IT is a permanent dogs breakfast and nobody feels they can make a difference; and partly it's because people designing health IT systems have a vague idea that healthcare is dangerous anyway, so the odd software or hardware problem will get swamped by all the routine mortality and morbidity in acute care. Believe me, these are not off-handed quips. I've worked in health technology for nearly 30 years, including a long time developing software for the first implantable defibrillators, and more recently, lots and lots of work in e-health systems. So here's a typical story. I once saw a draft Threat & Risk Assessment report for a large electronic medical records system, designed with APIs to take clinical data over the Internet from decentralised computers in general practice. A threat was identified that malware in the GP computers could pass into the EMR; the potential harm was said to include total loss of the EMR. Architects debated this scenario and decided it was too hard to have application level firewalls built into the EMR to ward off malware. Instead they recommended that GPs keep their anti-virus software up to date and control unauthorised access to their networks. As if that's remotely practicable across thousands of practices. In the final draft, the risk had been deleted. The authors told me they considered this sort of risk to be academic, and will not be seen in real life. That's a typical mindset in health IT security. I bet people developing the IP connected infusion pumps have that kind of thought all the time. Hoping "it's not going to happen" is worse than just praying. Steve Wilson, Lockstep Consulting, Sydney, Australia
  • Anonymous on

    This article is misleading and overblown. The devices were obviously misconfigured by the gurus who were managing them at whatever third world country hospital he got them from on eBay. The same idiots who didn't do a factory reset before selling them. wpa keys have nothing to do with remote access or telnet. They would require physical access to the WiFi networks range. If properly configured for credentials Ethernet port is not more dangerous than a USB port which I fear more!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.