Vulnerability-Riddled Drug Pumps Open to Takeover

One medical device company’s line of drug pumps is so fraught with vulnerabilities that the researcher that discovered the flaws claims the pump is the least secure IP-enabled device he’s ever come across.

Certain versions of Hospira’s Lifecare PCA3 Drug Infusion pumps are susceptible to multiple remotely exploitable vulnerabilities that could not only brick the device, but with a little tweaking, also let attackers change the drug library they’re affiliated with, update the its software, and run commands.

“I would personally be very concerned if this device was being attached to me,” Jeremy Richards, a Software Security Engineer at the SAINT Corporation who dug up the bugs, wrote last week, “It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo.”

> Don’t buy a Hospira PCA drug pump to do security stuff. Busybx no passwd shell on 23, no-auth CGIs, also never hook it up to a human being
>
> — dyngnosis (@dyngnosis) April 27, 2015

The affected pumps come configured with a default IP address, 192.168.0.100, that could be used by an attacker to extract wireless encryption keys, which are stored in plain text on the device. If an attacker had physical access to the device, they could not only gain access to the keys and compromise the pump, but by extension, any drug pumps in the hospital connected to its WiFi.

In a scenario Richards looked at he found WPA keys for the hospital’s wireless network on the pumps, unencrypted and in plain text, something that means that they could easily be accessed via Telnet and FTP and ultimately, if the devices were ever sold, cause a mess of trouble for the hospitals.

> Hospitals need to remove WPA keys from their devices before selling them on ebay/med surplus companies. This is a Life Critical Network.
>
> — dyngnosis (@dyngnosis) April 28, 2015

Richards, who blogs about security at HextechSecurity.com, discussed the pump’s failures last week. A CVE (CVE-2015-3459) for the issue, specifying that pumps running SW version 412 don’t require authentication for Telnet sessions and could allow remote attackers to gain root privileges via TCP port 23, was created at the National Vulnerability Database shortly after.

Richards claims that since the device has an exposed ethernet port a local physical attack could be carried out with an attack tool, like a specially rigged Raspberry Pi, in less than 5 seconds.

“This is a game-over vulnerability that allows an attacker with physical access to the device complete control over their own device,” Richards wrote.

Attackers can also glean information related to hard coded local accounts and on top of that, a server, AppWeb, that runs in tandem with the device suffers from its own separate vulnerabilities as well.

The issue is complicated by the fact that even if there was authentication present on the Telnet port, it wouldn’t help, since there are several web services, exposed CGIs “linkparams” and “xmmucgi,” that don’t require authentication which an attacker could exploit to “change the drug library, update software and run commands.”

As Richards points out in his blog, he’s contacted Hospira, the medical device company that manufactures the pumps, but it apparently has no plans to either recertify or patch the devices.

The issue is the second to plague the Illinois medical device firm in the last month.

In late March a similar flaw with the company’s Windows-based MedNet platform, divulged by noted device hacker Billy Rios, surfaced.

If exploited, Hospira’s MedNet server software could be used to push unauthorized modifications to medication libraries and pump configurations. Similar to the issue with the pumps, that issue stemmed from the fact that the software, which basically manages drug libraries and how certain medicine is doled out through the pumps, used hard-coded cryptographic keys that could be intercepted by hackers.

On Wednesday Hospira claimed it was aware of the issue and that it has conferred with its customers on how to address it.

“There are no instances of Hospira devices being breached in a clinical setting and Hospira has taken a proactive approach to address potential cybersecurity vulnerabilities,” Tareta Adams, a Hospira spokesperson said, adding that the company has had talks with the FDA and the Department of Homeland Security regarding device security.

“It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls,” Adams said.

This article was updated on May 7 to include comments from Hospira