Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Medicine

DHS: Drug Infusion Pumps Vulnerable To Trivial Hacks 37

chicksdaddy writes with news of a DHS warning about the vulnerability of a popular brand of drug pumps. "The Department of Homeland Security warned that drug infusion pump management software sold by Hospira contains serious and exploitable vulnerabilities that could be used to remotely take control of the devices.

The MedNet server software manages drug libraries, firmware updates, and configurations of Hospira intravenous pumps. DHS's Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory issued Tuesday that the MedNet software from the firm Hospira contains four critical vulnerabilities – three of them capable of being exploited remotely. The vulnerabilities could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.

The vulnerabilities were discovered by independent security researcher Billy Rios and reported to both Hospira and ICS-CERT. The vulnerabilities vary in their severity. Among the most serious is Rios's discovery of a plaintext, hard-coded password for the SQL database used by the MedNet software (CVE-2014-5405e). By obtaining that password, an attacker could compromise the MedNet SQL server and gain administrative access to the workstation used to manage deployed pumps."
This discussion has been archived. No new comments can be posted.

DHS: Drug Infusion Pumps Vulnerable To Trivial Hacks

Comments Filter:
  • by Anonymous Coward

    Like the summary states, they experienced this problem because they used a SQL database.

    If they had used a NoSQL database instead, then none of this would have happened.

    When you use most NoSQL databases, you can't run into a problem like "a plaintext, hard-coded password for the SQL database".

    Why is that? Because most NoSQL database systems don't even support risky functionality like authentication.

    See, if you don't even need to provide a password to access the database, then you don't need to securely stor

  • Generally the pay when working for medical device companies is pretty good, how in the world are they getting that lousy of programmers?

    Oh right, 'cultural compatibility'....
    • I don't know how well the pay was at this company for their software people but my experience has been the offers from medical device companies for software people has been on the very low end, so I would imagine this would be the case here as well. The pay for MEs and EEs is probably much better and more inline with the norm but then I may just be making shit up as am not a ME or EE.
    • by Anonymous Coward

      I am posting this anonymously because I don't want to get into any trouble but I personally know of at least one embedded defibrillator product that uses a hard coded password for remote access over ssh to the hospital. I'm a consultant in the industry and I know for a fact that medical device coders are some of the worst around. They focus entirely on doing only what the FDA mandates and nothing else. All their effort is spent doing only *exactly* what they need to do to win FDA approval and nothing mor

      • by jythie ( 914043 )
        That culture alone is probably enough to drive most programmers away.
      • by Anonymous Coward

        I work in pharmaceuticals and the attitudes are the same.

        There are actually plenty of decent folks in IT. Sure, most aren't at the Google level of software engineering, but they're competent enough.

        The problem is that there is ZERO priority on making something that does the job right, and total commitment to making something that will stand up in an FDA inspection. So, the emphasis is on tons of documentation and process. We'll write up 30 pages of justification for not fixing a bug that would require ch

    • From what I hear, this is very, very typical of medical devices. Not even the most basic security precautions are observed, or other basic software principles. If it runs, it ships.

    • by sjames ( 1099 )

      Start with a good programmer. Give him incomplete requirements and demand a time estimate RIGHT NOW. Once you have extracted that, carve it in stone. Finally, sprinkle in a heap of additional requirements from marketing.

  • by Anonymous Coward

    let me guess, runs on windows?

    • by gtall ( 79522 )

      It might run on winders, but the bugs are not OS related. They are, however, related to the stupidity of Hospira and their software guys.

      One person above raised an interesting issue, which we have all known about. If you clamp down on security, users find the system unusable. Normally, this isn't such a big deal but in medical systems it is a very big dead due to the possibility of people dying as a result...either too much or too little. Solving this problem is critical for medical systems, i.e., how do yo

      • it is a very big [deal] due to the possibility of people dying as a result...either too much or too little.

        I think most people will consider too much dying to be the problem, not too little dying.

  • Just reclassify them as design issues [slashdot.org] and then things will be OK.
  • And the solution is to not connect your Drug Infusion Pumps to the Intertubes !
    • by Mashiki ( 184564 )

      I honestly can't figure out why you'd want to in the first place. My sister was part of the original clinical trials of insulin pumps here in Canada, they were 'dumb' in all terms, and were manually adjusted. If she could figure out how to do everything at the age of 8 with no problems, then I'm pretty sure anyone else can.

If all else fails, lower your standards.

Working...