Researcher: Drug Infusion Pump Is the "Least Secure IP Device" He's Ever Seen

chicksdaddy writes: This is a bad month for the medical equipment maker Hospira. First, security researcher Billy Rios finds a raft of serious and remotely exploitable holes in the company's MedNet software, prompting a vulnerability alert from ICS CERT. Now, one month later, ICS CERT is again warning of a "10 out of 10" critical vulnerability, this time in Hospira's LifeCare PCA drug infusion pump. The problem? According to this report by Security Ledger the main problem was an almost total lack of security controls on the device. According to independent researcher Jeremy Williams, the PCA pump listens on Telnet port 23. Connecting to the device via Telnet, he was brought immediately to a root shell account that gave him total, administrator level access to the pump without authentication. "The only thing I needed to get in was an interest in the pump," he said. Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump's operation using fairly simple scripts. Also: The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it. The problems prompted Richards to call the PCA 3 pump "the least secure IP enabled device" he has ever worked with.

Re:

[Anonymous Coward]

Well yeah. Duh. And it's cue, not queue.

Re:

[turkeydance]

cute.

Re:Queue the lawsuit...

[damn_registrars]

Well yeah. Duh. And it's cue, not queue.

Unless you are building a queue of lawsuits. If the pump is fairly common in the health care industry, that could be the case.

Re:

[Immerman]

Nice. Of course then it should have been "Queue the lawsuit s ".

Re:

[beelsebob]

No, queueing the lawsuit would still be valid - it would be the act of adding that one single lawsuit to the queue.

Re:

[arglebargle_xiv]

Well yeah. Duh. And it's cue, not queue.

Unless you are building a queue of lawsuits

I think the OP was referring to a queue of landsharks in suits lining up to sue.

Re:

[Alien1024]

Cue the class action

Re:

[Livius]

Well, you cue several lawsuits to queue up.

Re:

[OneSizeFitsNoone]

...2...1...ERROR: page boundary violation at 0x3ed57a09000e
Dumping process state in: /var/log/sys/{$$83456/xdfetklasfhj526%dkgi}...

Re:

[ToxicBanjo]

Linux

Re:

[TheReaperD]

Shows that any OS can be made insecure by incompetent moron administrators/users or, likely in this case, PHBs.

Re:

[TheReaperD]

*moronic... dammit. I know why Slashdot doesn't have an edit feature but, I hate it also.

Re:

[BVis]

Truth.

At my last job, I was talking about the input validation that I'd created on a web application. My PHB asked why I had done that, since the client hadn't asked for it.

If I could include pictures with a Slashdot post, it would be the Jackie Chan "My Brain Is Full Of Fuck" meme.

Unacceptable

[ToxicBanjo]

I work in animal health care and I don't see devices like this... nothing even freaking close. Truly stunning security was this lax.

Re:

[penguinoid]

I know, right? I mean, just the other day I saw a computer for sale with a serious security vulnerability that could result in the computer being destroyed. Anyone with physical access and a high school student's hacking skills could hit the computer with an axe until it stopped working.

Re:

[TheReaperD]

Yes, but in that case the "hacker" can kill the computer but, could not use that computer to kill you.

Re:

[penguinoid]

Anyone with physical access to you can kill you, and anyone with physical access to many types of medical equipment could set things up so someone else will kill you with it (eg poisoning).

Re:

[cusco]

You may have missed the The PCA pump stores wireless keys used to connect to the local (medical device) wireless network in plain text on the device. That means anyone with physical access to the Pump (which has an ethernet port) could gain access to the local medical device network and other devices on it.

Once you're on the medical wireless network you now have access to **ALL** the other equally insecure PCA devices connected to it. You see, you don't need to even change any settings on your pump to get

Re:

[ArsenneLupin]

Yes, but in that case the "hacker" can kill the computer but, could not use that computer to kill you.

He could drop it on you...

Re:

[OneSizeFitsNoone]

Could this be done over a network?

Re:

[cusco]

I work in physical security (key cards, security cameras, alarm systems, etc.) had have seen plenty of stuff this bad. For six years one of the highest quality megapixel IP security cameras on the market had a single user, "root", with a password of "system" that you could not change. Two others had only root or admin as users and you could only configure a 4 character lower-case alpha password (raised to 6 characters in a later firmware release). The absolute worst I've ever seen was Cisco's abortion of

CGI in a drug pump?

[abulafia]

That's frickin' amazing. I can't wait to hear about drug pumps spamming from formail.cgi.

Re:CGI in a drug pump?

[Anonymous Coward]

Dependency management.

It was bad enough trying to get people not to link in 3rd party libraries they didn't need - these devices roll in a whole OS-worth of dependencies and no-one even bothered to check what they were. I'm not surprised these manufacturers screw up so much since they have meetings that go like this:

"So, Jack, we need to spin up the dev team really quick on this. The HW specs are almost complete for the drug pump and the ICs are in prototype."
"Yeah, we just don't know if if's CPU A or CPU B though and..."
"Don't worry about that we can hedge with the distro."
"Shall we just get them prototyping on Ubuntu?"
"Sure...let's just get them rolling so we can meet the spec for 3 months out. Just use the desktop one for now and we can port the major parts later."

[6 months later]

"Jack. We're 3 months behind now and marketing want something to evaluate. Ideas?"
"Well...Brian had a CL that mostly gets something interesting going. We could go with that cut?"
"Has it been evaluated for conformance?"
"Testing is 75% implemented with some flakes, but it's all green on nightly runs. We can bring that to mainline branch by the middle of nex..."
"We can do that in parallel. We'll give it to marketing as a tentative and eval for customer experience only."

[9 months later]

"Marketing were impressed. It looks pretty good to go so far, how are the bugs?"
"...why are we losing developers?"
"Oh, marketing took the demo to the board for an investor presentation. We're going to spin up a new dev team to finalize the specification on a new product."
"...but...that's not the product. Anyway, why are we losi..."
"The board doesn't think it needs that much more, really, it looks pretty good. It's okay, we can head them off from the production line. The hardware is pretty final right now so we'll just bring the firmware up at the end of the line."

[12 months later]

"Marketing are still looking for the gold cut on the approved SW release. Any news on that?"
"Wait, what? We've been working on a new can opener."
"..."

[13 months later]
"So, the board is happy with the can opener but we can probably open more markets if we include cloud technology."
"..."

[24 months later]
"Oh shit, did we release the update on the firmware?"
"Shit."

I don't understand the big deal

[Anonymous Coward]

You can also exploit the thing by opening it up and cutting wires.

Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.

Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.

Once your opponent has physical access to the sensitive medical devices that keep you alive, you'r

Re:

[Quick Reply]

Yes, exactly right

Re:I don't understand the big deal

[R3d M3rcury]

Look, this is a medical device. People carry it around with them.

Actually, I believe it's meant for use in a hospital, not to be carried around.

Next time they put me on morphine, I am so hacking into this... :^D

Re:

[by (1706743)]

Hopefully it ships with the man page...

Re:

[just another AC]

Next time they put me on morphine, I am so hacking into this... :^D

And when you cause that overflow and your morphine level goes to -1 and you lose all your pain relief, I hope the doctors and nurses take their sweet time fixing it. You will then learn:

1. Just because you can, doesn't mean you should. Curiosity and knowledge come at a price, and you must be prepared to pay that.
2. 1337 satisfaction pain
3. The medical staff are busy enough without some patient trying to break their equipment.

Re:

[just another AC]

2. 1337 satisfaction < pain

slashcode ate my <

Re:

[TheReaperD]

I don't know. That's a competition between ego and pain tolerance. By the time the pain tolerance loses the ego may have already won.

Re:I don't understand the big deal

[cheater512]

Did you miss the bit where it said that it has wifi?

Re:I don't understand the big deal

[ColdWetDog]

You can also exploit the thing by opening it up and cutting wires.

Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.

Do I need a security passcode on everything that somebody could walk up to? Give me a break. My microwave doesn't have one either.

Once your opponent has physical access to the sensitive medical devices that keep you alive, you're fucked. He could just as well put bleach in the insulin bag.

Except that it has an Ethernet port. With an open Telenet. On a PCA pump (Patient Controlled Analgesia - a morphine drip). Which can kill the patient with the wrong dose.

Oops.

I think that, in 2015, one can reasonably expect the rudiments of security with a machine designed to deliver accurate quantities of a potentially fatal drug. Sure, it doesn't need to be hardened against every potential exploit but an open telenet port? That's pretty weak sauce. Aside from potentially killing a patient, an addicted nurse / tech (I was going to say doctor but they typically wouldn't know a telenet port if it went up and bit them in the nose) could potentially use this to siphon off the drug for their own use. The things have various locks and passwords to prevent that exact thing from happening.

Re:

[Anonymous Coward]

As you say, an open telnet port accessible from an unauthenticated ethernet port, cleartext keys for the wifi through which unauthenticated CGI configuration is available, are pretty poor by any standards, not just 2015.

I've seen some pretty staggeringly poor security on medical equipment and medical software - one of the classics is an electronic medical record software package (still in use) which uses a Vigenere cipher to encrypt user passwords in the database, but for some bizarre reason, the client sof

Re:

[dbIII]

I was going to say doctor but they typically wouldn't know a telenet port

Amusing misspelling but it highlights that hardly anyone has heard of telnet, however anyone that wants to exploit these things could learn enough in less than half an hour.
I also think the developers could have learnt better than to use it in half an hour but maybe it was cut and pasted code. The original Nintendo DS had enough grunt to run full ssh with a far less impressive CPU than these devices have so there is no excuse.

Re:

[AJWM]

Telenet was a dial-up access packet-switched network (think X.25) back before internet access was a common thing, similar to rival company Tymnet. I spent many, many hours on Telenet back in the day, logged into BIX.

You probably meant telnet, the *nix app which has been around even longer. When internet access became publicly available, I'd telnet into BIX (while it lasted, sigh).

Re:

[Hognoxious]

It's now a Belgian ISP. As is Skynet...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[aXis100]

Since it's storing local wireless keys on the device, I can only assume it has a wireless network interface and is intended to be connected for remote monitoring/administration.

Re:

[grahamwest]

These are not patient-portable devices. They attach to an IV pole and control delivery of whatever drug is fed from the bag. They're modular, so they get mixed and matched from pole to pole (and presumably some stash on the ward) as necessary. They are not isolated; they communicate with other systems on the ward so that, for example, the nurse can come by and check on the patient when the bag is empty.

Getting access to one of these wouldn't necessarily be that hard. Go to the ER with something that will ge

Re:

[SuricouRaven]

Is that as evil as you can get? You can kill people with this, from a long distance. Just make a worm, take ransom in bitcoins. You should be able to amass a tidy sum in the few days it takes to get every pump in the country disconnected and replaced.

Re:

[Anonymous Coward]

Except I can fuck you two ways to sunday, wirelessly. All because someone couldn't find the fucking time to secure that telnet.

I don't mind someone having to plug a cable in. That I can veto, I can't veto someone in the next building trying to kill me, or god forbid getting killed by a script just scanning along.

Re:

[viperidaenz]

Don't forget about the wifi connection.

Re:

[beelsebob]

The issue is that you can connect to it wirelessly, and command it to give lethal doses of drugs remotely... That's pretty frickin bad ;)

Re:

[Grishnakh]

Look, this is a medical device. People carry it around with them. Sometimes, a technician may need to make changes to it. They do that by plugging into an ethernet port on the device. Otherwise, it is never plugged in.

Wrong.

These devices (and lots more medical devices) are now all being WiFi-enabled, so that they can be monitored from the central nursing station. These devices keep people alive, so just waiting until it breaks and you find the patient lying on the floor somewhere isn't good enough; they ha

my mother-in-law mysteriously went into a coma

[turkeydance]

the coroner has no clue.

Re:

[viperidaenz]

It was a good thing you had the new version of her will notarized last week.

Re:

[ColdWetDog]

The problem is that somebody else can get to the supply. The system goes through a lot of trouble to make sure somebody doesn't siphon off the drug. Getting into the guts of the machine, bypassing the log functions and bog knows what else might be very tempting to the right person. All the more so since the pumps are used all of the time - you could have a good supply of your favorite narcotic.

I give it a couple of weeks before a simple exploit gets published somewhere.

Re:

[cdrudge]

If you're going to steal the drugs, you're just going to slip into the room, snip the tube, and walk out with the bottle of narcotics. You're not going to bother to hack the system so that it doses out an extra mg or two for you to siphon off. Even if you did manage to bypass any other hurdles and got the machine to dose out more than it was suppose to, at most you'd get fairly limited supply before they realized they went through a bottle of narcotics far faster than the machine should have been administra

Re:

[darronb]

It's even easier. You just shut it off and pull the drug while they're sleeping.

My dad had that happen at least once during a weeks long hospital stay. They took forever figuring out how to get him more morphine... as he'd already been prescribed and there are at least reasonable safeguards on the overprescription side.

They even had an idea who it was, as missing drugs was a problem in that ward. They didn't do anything, just said "watch out for that guy". I'm sure they eventually caught him... it's extreme

Re:

[Harlequin80]

I had a PCA hooked up after having my broken my collar bone and shattered my wrist re-assembled. The method for me to get a shot of morphine was to simply push a button. The system was set that I could only get a certain number of presses per hour.

That said I didn't use the button at all. They had given me oral painkillers and I was fine with those for the 8 hours I had to wait before they let me go home. For the most part I was just seriously bored. My entertainment was my laptop and watching tv shows

Sounds as insecure as some phone systems

[dbIII]

Sounds as insecure as some phone systems - but much more of a worry.
Sounds like development on the cheap and pocket the profits for selling the niche product for a fortune.

The excuse for insanely high med device prices

[Applehu Akbar]

Is supposed to be the extensive testing and super security the industry is so renowned for.

Re:

[phantomfive]

They are high because of the FDA approval process, which is long and expensive, but doesn't entirely relate to reality.

Re:

[Anonymous Coward]

You pay for documentation and audits of documentation and work flows. Noone acually checks what the hell you put in your device, but damn you if you don't do waterfall work flow if your documents says you do.

I worked as a software developer on an intensive care unit.

Not surprising!

[Anonymous Coward]

As a former employee of Hospira who was outsourced (after starting from day 1 and working there for 6 years) - I am not surprised. Moving all IT and development offshore was going to have its consequences, and reading this makes me gloat.

Oblig. response

[maestroX]

not a bug, it's a feature ;)

And yet...

[skovnymfe]

And yet, the stock price is at an all-time high. Must be all the media attention!