'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack

from the killed-by-apathy dept

By this point, the half-baked security in most internet of things devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it’s easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.

The lack of security in the medical front is particularly alarming. The latest case in point: security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously. The flaws in the Medifusion 4000 infusion pump, manufactured by UK medical multinational Smiths Group, were discovered by security researcher Scott Gayou. The device is utilized to deliver medications, blood, antibiotics and other fluids to critical care patients, patients undergoing surgery (anesthesia) — and newborn babies.

The flaws were severe enough to warrant a new warning from the Department of Homeland Security, which issued an advisory that, like similar past advisories, rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly:

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”

Both the FDA and DHS have ramped up the attention they’re giving such vulnerabilities, recently having issued similar first ever warnings about flaws in pacemakers by St. Jude Medical, which can be similarly abused to kill patients. And while this is all wonderful news if you’re a wetworker operating in an environment where such flaws take years to discover much less fix, it’s decidedly less fun for the companies being criticized for half-assed security measures. In most cases, the companies impacted make it their top priority to downplay the risks involved, as the Smiths Group did in its statement on the vulnerabilities:

The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.

Except six of the vulnerabilities in question simply involve the use of hard-coded credentials, the same problem that has plagued the home router market for years. For its part, Smiths says it’s working hard to implement a fix for the flaws — that might be released in January 2018. In the interim Smiths is urging hospitals to assess the risk, change the default login credentials, and disconnect these devices from the network where necessary. But considering the low quality of IT support in most hospitals (a major reason for a massive spike in hospital ransomware attacks) — there’s certainly no guarantee of any of these mitigation measures actually happening.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack”

Subscribe: RSS Leave a comment
That Anonymous Coward (profile) says:

“rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly”

Because we had to make nice to get the company to even make an announcement, because we have no powers to actually punish them.

Are we just tacitly waiting for the bodycount?
Are coroners now creating a forensics team capable of probing implanted medical devices?
Is the “science” that embraced teeth marks capable of crawling code?

This isn’t the first, second, third, fourth, fifth, etc. time something like this has been found. I guess letting the industry self regulate isn’t working out very well for sick people.

We accept them downplaying the problems & covering it with you need to be a skilled hacker. Hackers don’t run around in black hoodies wearing gloves and sunglasses all the time. They are everywhere. Just because a “white hat” found & disclosed something doesn’t mean they were the only one looking. They weren’t the one looking, who informed people, and then most likely had to go public to get them to even admit the crap is flawed.

We have entire business models based on getting 0-day flaws, who are willing to sell phone tracking so dissidents can be murdered… think they would turn their noses up at medical hacks? Wanna buy a bridge in Brooklyn? They will tell you they would never do that, while trying to hide the multitude of broken promises and violations of laws because making money is more important that if the targets gonna end up dead.

This is just yet another real cyber problem that is getting none of the focus, as we pour hundreds of billions into tanks, bullets, planes… but expect the infrastructure industries are gonna secure everything on their own with no real help.

Anonymous Coward says:

Microcontrollers are cheap, and include network interface modules that have a serial interfaces. This a allows a device controller to be limited in software to using it to send messages only. This would allow a safe implementation of remote alarms and data monitoring. I assume that any adjustments are carried out at the patients bedside, and requiring the removal of covers to update any software would be a safety feature.

JoeCool (profile) says:

Re: Re:

Considering how ridiculously expensive medical equipment is, you shouldn’t be using a CHEAP microcontroller, you should be using an EXPENSIVE microcontroller. This would allow a full implementation of BSD or linux, and all the subsequent security provided by either. Relatively speaking, an “expensive” microcontroller capable of running a decent OS with full security is not very expensive these days. Certainly one of the less expensive parts of the device, and in no way not more than covered by the final price.

Anonymous Coward says:

Re: Re: Re:

A full Linux or BSD implementation, connected to the network gives a much larger attack surface. A dedicated network interface, driven over a serial link, and set up to use UDP to send logging and alarm messages can be driven in a write only mode. The proposed approach is to provide the minimum functionality to allow remote monitoring and logging, and to avoid a full function device attached to the network.

The medical device can have a full function OS, but with no network connection, except via the attached microcontroller, which can appear as a write only device. That is lets avoid connecting a full operating systems network stack to the network, eliminating a large attack surface, and instead use a a more controllable interface and device where is the network connected device is compromised, logging can be shutdown, but the operation of the medical device is not compromised.

When human lives are at stake, a full function network interface is the wrong way to go, because even if used in the same fashion as the microcontroller, it is could be used to host malware to attack the rest of the hospital system. The Microcontroller Interface is more easily audited, and with a suitable device and setup, its software can only be changed via physical access and a JTAG or similar programmer.

JoeCool (profile) says:

Re: Re: Re:2 Re:

Exactly – the smaller the device, the easier it is to completely RE the code. If it’s not perfect, it becomes trivial to hack. Unfortunately, the smaller the device, the more you’re likely to play games with the code to get it all to fit in a smaller device. You don’t have the space or features or power to guarantee perfect safety, and many small device makers don’t even try.

Anonymous Coward says:

We know, thanks.

The risks of IV therapy are high. So are the benefits. Not using pumps (using gravity-regulated drips, for example) is substantially more dangerous than using them. Given that the right dose can save your life and the wrong dose can kill you, digitally controlled IV pumps are here to stay, and that’s a good thing.

Which doesn’t mean you don’t understand their risks, which are multiple. Networked pump operation exploited by vulnerabilities like the ones in the advisory isn’t even on the first page of the list. That’s partially because the most obvious mitigation, which is not connecting the pump to a network, is also the default state in most hospitals.

Good system design treats pumps and other Class 3 medical devices as foreign entities that should never be fully trusted on the network. Their design cannot be externally validated (although the FDA requires extensive internal validation) and poor network component design is a historic hallmark of the things. They are also ridiculously slow to receive updates, preserving zero-days for years. For that reason, physical AND logical segmentation is the order of the day, and wireless capabilities are an extraordinarily bad idea (given that pumps sort of have to be connected to the patient and to power, they’re also mostly unnecessary). Pumps belong in isolated network segments with monitored gateways, no direct external access in or out, and strict behavioral triggering. Absent that, they belong off the network entirely.

We knew all that long before this advisory. And although “hospital IT support” is an easy target for derision, the organization I work with, like a lot of health care IT organizations these days, has substantial effort and time devoted to just this issue, and a lot of incredibly bright minds thinking about safety and reliability in a world of crap built by Microsoft and Apple. (And, yes, by device manufacturers who put hard-coded FTP server credentials on their IV pumps for no apparent reason. Sigh.)

Peter says:

Why aren't the networks separate?

I thought the best security is to not have the medical equipment on the same network as he rest of the hospital/internet. If they are physically separated, it doesn’t matter if the devices have a vulnerability. Not having the medical network connected to the internet would reduce the risks. Of course a hacker could still gain physical access medical network, but that does increase the risk of them being detected and caught.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...