Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Medicine Technology

Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen 83

chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. "The only thing I needed to get in was an interest in the pump," he said. Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump's operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it. The problems prompted Richards to call the PCA 3 pump "the least secure IP enabled device" he has ever worked with.
This discussion has been archived. No new comments can be posted.

Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen

Comments Filter:
  • by ToxicBanjo ( 905105 ) on Wednesday May 06, 2015 @06:59PM (#49634277)
    I work in animal health care and I don't see devices like this... nothing even freaking close. Truly stunning security was this lax.
    • I know, right? I mean, just the other day I saw a computer for sale with a serious security vulnerability that could result in the computer being destroyed. Anyone with physical access and a high school student's hacking skills could hit the computer with an axe until it stopped working.

      • Yes, but in that case the "hacker" can kill the computer but, could not use that computer to kill you.

        • Anyone with physical access to you can kill you, and anyone with physical access to many types of medical equipment could set things up so someone else will kill you with it (eg poisoning).

          • by cusco ( 717999 )

            You may have missed the The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it.

            Once you're on the medical wireless network you now have access to **ALL** the other equally insecure PCA devices connected to it. You see, you don't need to even change any settings on your pump to get

        • Yes, but in that case the "hacker" can kill the computer but, could not use that computer to kill you.

          He could drop it on you...

      • Could this be done over a network?
    • by cusco ( 717999 )

      I work in physical security (key cards, security cameras, alarm systems, etc.) had have seen plenty of stuff this bad. For six years one of the highest quality megapixel IP security cameras on the market had a single user, "root", with a password of "system" that you could not change. Two others had only root or admin as users and you could only configure a 4 character lower-case alpha password (raised to 6 characters in a later firmware release). The absolute worst I've ever seen was Cisco's abortion of

  • That's frickin' amazing. I can't wait to hear about drug pumps spamming from formail.cgi.
    • by Anonymous Coward on Wednesday May 06, 2015 @07:41PM (#49634501)

      Dependency management.

      It was bad enough trying to get people not to link in 3rd party libraries they didn't need - these devices roll in a whole OS-worth of dependencies and no-one even bothered to check what they were. I'm not surprised these manufacturers screw up so much since they have meetings that go like this:

      "So, Jack, we need to spin up the dev team really quick on this. The HW specs are almost complete for the drug pump and the ICs are in prototype."
      "Yeah, we just don't know if if's CPU A or CPU B though and..."
      "Don't worry about that we can hedge with the distro."
      "Shall we just get them prototyping on Ubuntu?"
      "Sure...let's just get them rolling so we can meet the spec for 3 months out. Just use the desktop one for now and we can port the major parts later."

      [6 months later]

      "Jack. We're 3 months behind now and marketing want something to evaluate. Ideas?"
      "Well...Brian had a CL that mostly gets something interesting going. We could go with that cut?"
      "Has it been evaluated for conformance?"
      "Testing is 75% implemented with some flakes, but it's all green on nightly runs. We can bring that to mainline branch by the middle of nex..."
      "We can do that in parallel. We'll give it to marketing as a tentative and eval for customer experience only."

      [9 months later]

      "Marketing were impressed. It looks pretty good to go so far, how are the bugs?"
      "...why are we losing developers?"
      "Oh, marketing took the demo to the board for an investor presentation. We're going to spin up a new dev team to finalize the specification on a new product."
      "...but...that's not the product. Anyway, why are we losi..."
      "The board doesn't think it needs that much more, really, it looks pretty good. It's okay, we can head them off from the production line. The hardware is pretty final right now so we'll just bring the firmware up at the end of the line."

      [12 months later]

      "Marketing are still looking for the gold cut on the approved SW release. Any news on that?"
      "Wait, what? We've been working on a new can opener."
      "..."

      [13 months later]
      "So, the board is happy with the can opener but we can probably open more markets if we include cloud technology."
      "..."

      [24 months later]
      "Oh shit, did we release the update on the firmware?"
      "Shit."

  • by Anonymous Coward

    You can also exploit the thing by opening it up and cutting wires.

    Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.

    Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.

    Once your opponent has physical access to the sensitive medical devices that keep you alive, you'r

    • Yes, exactly right

    • by R3d M3rcury ( 871886 ) on Wednesday May 06, 2015 @07:10PM (#49634335) Journal

      Look, this is a medical device. People carry it around with them.

      Actually, I believe it's meant for use in a hospital, not to be carried around.

      Next time they put me on morphine, I am so hacking into this... :^D

      • Hopefully it ships with the man page...
      • Next time they put me on morphine, I am so hacking into this... :^D

        And when you cause that overflow and your morphine level goes to -1 and you lose all your pain relief, I hope the doctors and nurses take their sweet time fixing it. You will then learn:

        1. Just because you can, doesn't mean you should. Curiosity and knowledge come at a price, and you must be prepared to pay that.
        2. 1337 satisfaction pain
        3. The medical staff are busy enough without some patient trying to break their equipment.

    • by cheater512 ( 783349 ) <nick@nickstallman.net> on Wednesday May 06, 2015 @07:19PM (#49634371) Homepage

      Did you miss the bit where it said that it has wifi?

    • by ColdWetDog ( 752185 ) on Wednesday May 06, 2015 @07:21PM (#49634375) Homepage

      You can also exploit the thing by opening it up and cutting wires.

      Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.

      Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.

      Once your opponent has physical access to the sensitive medical devices that keep you alive, you're fucked. He could just as well put bleach in the insulin bag.

      Except that it has an Ethernet port. With an open Telenet. On a PCA pump (Patient Controlled Analgesia - a morphine drip). Which can kill the patient with the wrong dose.

      Oops.

      I think that, in 2015, one can reasonably expect the rudiments of security with a machine designed to deliver accurate quantities of a potentially fatal drug. Sure, it doesn't need to be hardened against every potential exploit but an open telenet port? That's pretty weak sauce. Aside from potentially killing a patient, an addicted nurse / tech (I was going to say doctor but they typically wouldn't know a telenet port if it went up and bit them in the nose) could potentially use this to siphon off the drug for their own use. The things have various locks and passwords to prevent that exact thing from happening.

      • by Anonymous Coward

        As you say, an open telnet port accessible from an unauthenticated ethernet port, cleartext keys for the wifi through which unauthenticated CGI configuration is available, are pretty poor by any standards, not just 2015.

        I've seen some pretty staggeringly poor security on medical equipment and medical software - one of the classics is an electronic medical record software package (still in use) which uses a Vigenere cipher to encrypt user passwords in the database, but for some bizarre reason, the client sof

      • by dbIII ( 701233 )

        I was going to say doctor but they typically wouldn't know a telenet port

        Amusing misspelling but it highlights that hardly anyone has heard of telnet, however anyone that wants to exploit these things could learn enough in less than half an hour.
        I also think the developers could have learnt better than to use it in half an hour but maybe it was cut and pasted code. The original Nintendo DS had enough grunt to run full ssh with a far less impressive CPU than these devices have so there is no excuse.

      • by AJWM ( 19027 )

        Telenet was a dial-up access packet-switched network (think X.25) back before internet access was a common thing, similar to rival company Tymnet. I spent many, many hours on Telenet back in the day, logged into BIX.

        You probably meant telnet, the *nix app which has been around even longer. When internet access became publicly available, I'd telnet into BIX (while it lasted, sigh).

    • Re: (Score:3, Interesting)

      by aXis100 ( 690904 )

      Since it's storing local wireless keys on the device, I can only assume it has a wireless network interface and is intended to be connected for remote monitoring/administration.

    • These are not patient-portable devices. They attach to an IV pole and control delivery of whatever drug is fed from the bag. They're modular, so they get mixed and matched from pole to pole (and presumably some stash on the ward) as necessary. They are not isolated; they communicate with other systems on the ward so that, for example, the nurse can come by and check on the patient when the bag is empty.

      Getting access to one of these wouldn't necessarily be that hard. Go to the ER with something that will ge

      • Is that as evil as you can get? You can kill people with this, from a long distance. Just make a worm, take ransom in bitcoins. You should be able to amass a tidy sum in the few days it takes to get every pump in the country disconnected and replaced.

    • by Anonymous Coward

      Except I can fuck you two ways to sunday, wirelessly. All because someone couldn't find the fucking time to secure that telnet.

      I don't mind someone having to plug a cable in. That I can veto, I can't veto someone in the next building trying to kill me, or god forbid getting killed by a script just scanning along.

    • Don't forget about the wifi connection.

    • The issue is that you can connect to it wirelessly, and command it to give lethal doses of drugs remotely... That's pretty frickin bad ;)

    • Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.

      Wrong.

      These devices (and lots more medical devices) are now all being WiFi-enabled, so that they can be monitored from the central nursing station. These devices keep people alive, so just waiting until it breaks and you find the patient lying on the floor somewhere isn't good enough; they ha

  • Sounds as insecure as some phone systems - but much more of a worry.
    Sounds like development on the cheap and pocket the profits for selling the niche product for a fortune.
  • by Applehu Akbar ( 2968043 ) on Wednesday May 06, 2015 @08:36PM (#49634791)

    Is supposed to be the extensive testing and super security the industry is so renowned for.

    • They are high because of the FDA approval process, which is long and expensive, but doesn't entirely relate to reality.
    • by Anonymous Coward

      You pay for documentation and audits of documentation and work flows. Noone acually checks what the hell you put in your device, but damn you if you don't do waterfall work flow if your documents says you do.

      I worked as a software developer on an intensive care unit.

  • by Anonymous Coward

    As a former employee of Hospira who was outsourced (after starting from day 1 and working there for 6 years) - I am not surprised. Moving all IT and development offshore was going to have its consequences, and reading this makes me gloat.

  • not a bug, it's a feature ;)
  • And yet, the stock price is at an all-time high. Must be all the media attention!

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...