DHS: Drug Infusion Pumps Vulnerable To Trivial Hacks

chicksdaddy writes with news of a DHS warning about the vulnerability of a popular brand of drug pumps. "The Department of Homeland Security warned that drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.

The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. DHS's Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory issued Tuesday that the MedNet software from the firm Hospira contains four critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.

The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios's discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps."

Hacking galore !

[Taco Cowboy]

It's not only the infusion pumps can be easily hacked, pace makers can also be hacked, as well as a zillion types of other medical equipments

This is not all --- with the advent of the IoT (Internet of Things) and that average homes gonna be populated with devices that can be remotely connected, it will be a hacking galore for those who are savvy with technology

Reasons why I don't like the Internet of Things.

[Anonymous Coward]

Here's a list of reasons why I don't like the Internet of Things:

1) Internet of Things devices could watch me while I sleep.

2) Internet of Things devices could watch me while I pee.

3) Internet of Things devices could watch me while I make kaka.

4) Internet of Things devices could watch me while I pleasure myself.

5) Internet of Things devices could watch me while I wash my body in the shower.

6) Internet of Things devices could watch me while I relax in the tub.

7) Internet of Things devices could watch me whil

Re:

[GrumpySteen]

61 Internet of Things devices could let the world know that you lead a boring fucking life... oh wait, you're doing that on your own already.

Re:

[Aighearach]

I don't want the internet of things to watch me while I make passionate love to your wife, either.

Re:

[rmdingler]

The interesting thing is the way mainstream folks go marching along voluntarily signing away the privacy rights to their final refuge.

"Look, I can set the temperature on my thermostat from here!" or "Watch this Bubba... I can turn on the Spa heater an hour before getting home!"

We're so accustomed to the exchange of freedom for security that now we're trading it for convenience.

Re:Makes you wonder . . .

[Dr_Barnowl]

The buck stops with management. They get the pay, they get the responsibility.

Of course, they're the ones who assess performance as well. No way are they actually going to take the heat for that.

So the story is : bad management. They're not putting in the appropriate checks and balances, probably because they cost money. They're not interested in making a good product, they want to pad their pay packets. So the buck goes all the way to the top, to the people who decide remuneration policies.

If the software developers don't give a damn, they're not being selected or motivated appropriately by management.

And this is one of the myriad reasons why bonus culture sucks.

They should have used a NoSQL database.

[Anonymous Coward]

Like the summary states, they experienced this problem because they used a SQL database.

If they had used a NoSQL database instead, then none of this would have happened.

When you use most NoSQL databases, you can't run into a problem like "a plaintext, hard-coded password for the SQL database".

Why is that? Because most NoSQL database systems don't even support risky functionality like authentication.

See, if you don't even need to provide a password to access the database, then you don't need to securely stor

Re:

[sjames]

And of course, MongoDB is web scale! [mongodb-is-web-scale.com]

Hardcoded DB password?

[jythie]

Generally the pay when working for medical device companies is pretty good, how in the world are they getting that lousy of programmers?

Oh right, 'cultural compatibility'....

Re:

[jythie]

I admit, that is a recurring pressure that company's have to contend with, though even that has some pretty good best practices for dealing with which do not involve a single hardcoded password across an entire product line.

Re:

[Bob the Super Hamste]

I don't know how well the pay was at this company for their software people but my experience has been the offers from medical device companies for software people has been on the very low end, so I would imagine this would be the case here as well. The pay for MEs and EEs is probably much better and more inline with the norm but then I may just be making shit up as am not a ME or EE.

Re:

[Anonymous Coward]

I am posting this anonymously because I don't want to get into any trouble but I personally know of at least one embedded defibrillator product that uses a hard coded password for remote access over ssh to the hospital. I'm a consultant in the industry and I know for a fact that medical device coders are some of the worst around. They focus entirely on doing only what the FDA mandates and nothing else. All their effort is spent doing only *exactly* what they need to do to win FDA approval and nothing mor

Re:

[jythie]

That culture alone is probably enough to drive most programmers away.

Re:

[Anonymous Coward]

I work in pharmaceuticals and the attitudes are the same.

There are actually plenty of decent folks in IT. Sure, most aren't at the Google level of software engineering, but they're competent enough.

The problem is that there is ZERO priority on making something that does the job right, and total commitment to making something that will stand up in an FDA inspection. So, the emphasis is on tons of documentation and process. We'll write up 30 pages of justification for not fixing a bug that would require ch

Re:

[Chris Mattern]

From what I hear, this is very, very typical of medical devices. Not even the most basic security precautions are observed, or other basic software principles. If it runs, it ships.

Re:

[sjames]

Start with a good programmer. Give him incomplete requirements and demand a time estimate RIGHT NOW. Once you have extracted that, carve it in stone. Finally, sprinkle in a heap of additional requirements from marketing.

drug infusion pump management software

[Anonymous Coward]

let me guess, runs on windows?

Re:

[gtall]

It might run on winders, but the bugs are not OS related. They are, however, related to the stupidity of Hospira and their software guys.

One person above raised an interesting issue, which we have all known about. If you clamp down on security, users find the system unusable. Normally, this isn't such a big deal but in medical systems it is a very big dead due to the possibility of people dying as a result...either too much or too little. Solving this problem is critical for medical systems, i.e., how do yo

Re:

[machine321]

it is a very big [deal] due to the possibility of people dying as a result...either too much or too little.

I think most people will consider too much dying to be the problem, not too little dying.

Just reclassify them as design issues and it's OK

[Bob the Super Hamste]

Just reclassify them as design issues [slashdot.org] and then things will be OK.

Re:

[bjwest]

IOT. IOT! Every fucking thing including each led segment in my ovens digital display HAS TO FUCKING HAVE it's own IP address and access to the internet.

Christ, dude. You want the world to end or something? Without every cell in our body connected to every other cell on the planet via the internet, we're all doomed!

Re:

[fuzzyfuzzyfungus]

I don't know what the state of insulin pumps is; but the product here is for in-hospital infusion pumps. I assume that the demand is basically "We have dozens to hundreds of these pumps all over the building(s), each one dispensing some drug on some schedule, with both of those changing from time to time on all units, and we want to be able to keep track of that. Also, some configuration errors could be fatal, so it would be nice to be able to check them against a data source larger and more frequently upda

And the solution is ..

[DougPaulson]

And the solution is to not connect your Drug Infusion Pumps to the Intertubes !

Re:

[Mashiki]

I honestly can't figure out why you'd want to in the first place. My sister was part of the original clinical trials of insulin pumps here in Canada, they were 'dumb' in all terms, and were manually adjusted. If she could figure out how to do everything at the age of 8 with no problems, then I'm pretty sure anyone else can.