'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack

from the killed-by-apathy dept

By this point, the half-baked security in most internet of things devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.

The lack of security in the medical front is particularly alarming. The latest case in point: security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously. The flaws in the Medifusion 4000 infusion pump, manufactured by UK medical multinational Smiths Group, were discovered by security researcher Scott Gayou. The device is utilized to deliver medications, blood, antibiotics and other fluids to critical care patients, patients undergoing surgery (anesthesia) -- and newborn babies.

The flaws were severe enough to warrant a new warning from the Department of Homeland Security, which issued an advisory that, like similar past advisories, rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly:

"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage."

Both the FDA and DHS have ramped up the attention they're giving such vulnerabilities, recently having issued similar first ever warnings about flaws in pacemakers by St. Jude Medical, which can be similarly abused to kill patients. And while this is all wonderful news if you're a wetworker operating in an environment where such flaws take years to discover much less fix, it's decidedly less fun for the companies being criticized for half-assed security measures. In most cases, the companies impacted make it their top priority to downplay the risks involved, as the Smiths Group did in its statement on the vulnerabilities:

The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.

Except six of the vulnerabilities in question simply involve the use of hard-coded credentials, the same problem that has plagued the home router market for years. For its part, Smiths says it's working hard to implement a fix for the flaws -- that might be released in January 2018. In the interim Smiths is urging hospitals to assess the risk, change the default login credentials, and disconnect these devices from the network where necessary. But considering the low quality of IT support in most hospitals (a major reason for a massive spike in hospital ransomware attacks) -- there's certainly no guarantee of any of these mitigation measures actually happening.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Pixelation, 22 Sep 2017 @ 7:47pm

    Good News!

    Definitely good news for patients who want more Opiates and it's taking too long...

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 22 Sep 2017 @ 10:35pm

      Re: Good News!

      Religion is the opiate of the masses. For the non-religious, check out the developer bundles under the Techdirt Deals tab and learn how to supply your own!

      reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 22 Sep 2017 @ 8:24pm

    "rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly"

    Because we had to make nice to get the company to even make an announcement, because we have no powers to actually punish them.

    Are we just tacitly waiting for the bodycount?
    Are coroners now creating a forensics team capable of probing implanted medical devices?
    Is the "science" that embraced teeth marks capable of crawling code?

    This isn't the first, second, third, fourth, fifth, etc. time something like this has been found. I guess letting the industry self regulate isn't working out very well for sick people.

    We accept them downplaying the problems & covering it with you need to be a skilled hacker. Hackers don't run around in black hoodies wearing gloves and sunglasses all the time. They are everywhere. Just because a "white hat" found & disclosed something doesn't mean they were the only one looking. They weren't the one looking, who informed people, and then most likely had to go public to get them to even admit the crap is flawed.

    We have entire business models based on getting 0-day flaws, who are willing to sell phone tracking so dissidents can be murdered... think they would turn their noses up at medical hacks? Wanna buy a bridge in Brooklyn? They will tell you they would never do that, while trying to hide the multitude of broken promises and violations of laws because making money is more important that if the targets gonna end up dead.

    This is just yet another real cyber problem that is getting none of the focus, as we pour hundreds of billions into tanks, bullets, planes... but expect the infrastructure industries are gonna secure everything on their own with no real help.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2017 @ 12:34am

    Microcontrollers are cheap, and include network interface modules that have a serial interfaces. This a allows a device controller to be limited in software to using it to send messages only. This would allow a safe implementation of remote alarms and data monitoring. I assume that any adjustments are carried out at the patients bedside, and requiring the removal of covers to update any software would be a safety feature.

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 23 Sep 2017 @ 12:39pm

      Re:

      Considering how ridiculously expensive medical equipment is, you shouldn't be using a CHEAP microcontroller, you should be using an EXPENSIVE microcontroller. This would allow a full implementation of BSD or linux, and all the subsequent security provided by either. Relatively speaking, an "expensive" microcontroller capable of running a decent OS with full security is not very expensive these days. Certainly one of the less expensive parts of the device, and in no way not more than covered by the final price.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Sep 2017 @ 1:27pm

        Re: Re:

        A full Linux or BSD implementation, connected to the network gives a much larger attack surface. A dedicated network interface, driven over a serial link, and set up to use UDP to send logging and alarm messages can be driven in a write only mode. The proposed approach is to provide the minimum functionality to allow remote monitoring and logging, and to avoid a full function device attached to the network.

        The medical device can have a full function OS, but with no network connection, except via the attached microcontroller, which can appear as a write only device. That is lets avoid connecting a full operating systems network stack to the network, eliminating a large attack surface, and instead use a a more controllable interface and device where is the network connected device is compromised, logging can be shutdown, but the operation of the medical device is not compromised.

        When human lives are at stake, a full function network interface is the wrong way to go, because even if used in the same fashion as the microcontroller, it is could be used to host malware to attack the rest of the hospital system. The Microcontroller Interface is more easily audited, and with a suitable device and setup, its software can only be changed via physical access and a JTAG or similar programmer.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 23 Sep 2017 @ 4:37pm

          Re: Re: Re:

          "When human lives are at stake, a full function network interface is the wrong way to go"

          And yet they are already deep within your motor vehicle innards. And do not tell me that is different, auto deaths used to be the number one killer.

          reply to this | link to this | view in chronology ]

          • icon
            JoeCool (profile), 23 Sep 2017 @ 4:51pm

            Re: Re: Re: Re:

            Exactly - the smaller the device, the easier it is to completely RE the code. If it's not perfect, it becomes trivial to hack. Unfortunately, the smaller the device, the more you're likely to play games with the code to get it all to fit in a smaller device. You don't have the space or features or power to guarantee perfect safety, and many small device makers don't even try.

            reply to this | link to this | view in chronology ]

          • identicon
            JEDIDIAH, 24 Sep 2017 @ 6:27am

            Re: Re: Re: Re:

            Why do you think you are not preaching to the choir here?

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2017 @ 7:00am

    "rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly"

    Perhaps this is a feature rather than bad security.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    TACH CENTER HACKER, 23 Sep 2017 @ 7:36am

    Do you know you can HACK any ATM Machine?!!!

    Email Address:
    my_tech_center@tech-center.com



    We have a special programmed ATM Card that can be use to hack ATM Machines, the ATM cards can be used to withdraw at the ATM or swipe at stores and POS. We sell this cards to all our customers and interested buyers worldwide, the card has a daily withdrawal limit of $5000 on ATM and up to $50,000 spending limit in stores with POS.

    And also if you are in need of any other Cyber hack services, We are here for you anytime any day.

    Here is our price lists for the ATM CARDS:
    BALANCE - PRICE
    $15,000 - $650
    $25,000 - $1200
    $40,000 - $1900
    $55,000 - $2700
    $100,000 - $5200

    The prices include the Shipping Fees and Charges, Order Now: Contact us via:

    Email Address:
    my_tech_center@tech-center.com



    Viber Chat.
    +1 5188411679
    Tech Center Hacks.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Sep 2017 @ 6:02am

    We know, thanks.

    The risks of IV therapy are high. So are the benefits. Not using pumps (using gravity-regulated drips, for example) is substantially more dangerous than using them. Given that the right dose can save your life and the wrong dose can kill you, digitally controlled IV pumps are here to stay, and that's a good thing.

    Which doesn't mean you don't understand their risks, which are multiple. Networked pump operation exploited by vulnerabilities like the ones in the advisory isn't even on the first page of the list. That's partially because the most obvious mitigation, which is not connecting the pump to a network, is also the default state in most hospitals.

    Good system design treats pumps and other Class 3 medical devices as foreign entities that should never be fully trusted on the network. Their design cannot be externally validated (although the FDA requires extensive internal validation) and poor network component design is a historic hallmark of the things. They are also ridiculously slow to receive updates, preserving zero-days for years. For that reason, physical AND logical segmentation is the order of the day, and wireless capabilities are an extraordinarily bad idea (given that pumps sort of have to be connected to the patient and to power, they're also mostly unnecessary). Pumps belong in isolated network segments with monitored gateways, no direct external access in or out, and strict behavioral triggering. Absent that, they belong off the network entirely.

    We knew all that long before this advisory. And although "hospital IT support" is an easy target for derision, the organization I work with, like a lot of health care IT organizations these days, has substantial effort and time devoted to just this issue, and a lot of incredibly bright minds thinking about safety and reliability in a world of crap built by Microsoft and Apple. (And, yes, by device manufacturers who put hard-coded FTP server credentials on their IV pumps for no apparent reason. Sigh.)

    reply to this | link to this | view in chronology ]

  • identicon
    Peter, 24 Sep 2017 @ 6:57pm

    Why aren't the networks separate?

    I thought the best security is to not have the medical equipment on the same network as he rest of the hospital/internet. If they are physically separated, it doesn't matter if the devices have a vulnerability. Not having the medical network connected to the internet would reduce the risks. Of course a hacker could still gain physical access medical network, but that does increase the risk of them being detected and caught.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.