SECURITY RESEARCHER DISCOVERS 8 WAYS TO HACK WIRELESS IV PUMP
In yet another instance of the dangers of modern day hacking and vulnerable devices that put our lives in danger, we bring you the now hackable IV drug pump used widely in hospitals. The Department of Homeland Security sent out another advisory last week, this time detailing the vulnerability in a syringe infusion pump. It’s a machine used to administer precise doses of medications intravenously. But this IV drug pump is also a wireless network device which security researcher Scott Gayou reviewed and discovered has no less that 8 different hackable vulnerabilities.
PRECISION DEVICE USED WIDELY ON ALL PATIENTS, INCLUDING NEWBORNS
The device under review and of concern is the Medfusion 4000 infusion pump, manufactured by Smiths Medical which is a part of the British giant Smiths Group. The device is used widely to administer drugs, blood, lipid products, antibiotics and just about anything medical professionals might need to give to a patient intravenously. That would of course include anesthesia and, because it is a precision device, is also of value to be used with the elderly and extremely young, such as newborns.
More:
HACKERS CAN TAKE OVER IV PUMP, CHANGE DOSES, STOP DOSES
Homeland Security—or more specifically, its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)—warns in its advisory: “Successful exploitation of these vulnerabilities” identified by Gayou in the Medfusion 4000 “may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump.” The agency adds: “Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”
HACKABLE IV PUMP KEY TO PRECISE CALCULATIONS OF DOSAGE, SAFETY, ESPECIALLY FOR FRAGILE PATIENTS
The use of machines for measuring and administering intravenous drugs is nothing new and such devices are widely credited with reducing major dosing errors. Pediatric dosing requires, for instance, requires very precise measurements to prevent adverse reactions, and dosing errors in the case of a neonatal patient can be especially fatal. An infusion pump, such as the Medfusion 4000, can replace manual calculations typically done by pharmacy technicians, whose math may be verified by a skilled pharmacist, but are often left unsupervised while actually drawing up syringes and IV bags before they arrive at a patient’s bedside.
Read More:
Transit Workers Find Accident Victim Bodies Stored in Break Rooms
MANUFACTURER SAYS NO PROBLEM, ATTACKS UNLIKELY, FIX IN 5 MONTHS
On Thursday, Smiths Medical notified its customers in a letter acknowledging the flaw, though it downplayed the risk to patients, asserting: “The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.”
MANUFACTURER ALSO PROVIDES LONG DETAILED LIST OF SECURITY PRECAUTIONS, BUT DON’T WORRY
Smiths Medical also wrote that it plans to correct the vulnerabilities in a software update to be released five months from now. In the meantime, however, the company has offered a detailed list of protocols it says should prevent any potential attacks. The list includes further segregating the devices from other parts of hospitals’ networks, assigning the devices static IP addresses, and—no kidding—using passwords containing “uppercase, lowercase, special characters, and a minimum character length of eight.”
Attackers exploiting vulnerabilities in medical technology may be the stuff of poorly written Hollywood assassination plots, but that doesn’t make it any less scary for the people who rely on such devices to live. Last month, for instance, nearly a half million patients with cardiac pacemakers were instructed to report to their doctors for a firmware update after the manufacturer disclosed a life-threatening flaw that would allow a malicious attacker to “gain access and issues commands to the implanted medical device.”
Connecting infusion pumps wirelessly to a hospital network, even to a local server that isn’t connected to the internet, poses certain inherent risks. While the benefit to patients may greatly outweighs those risks, there is no technology—save perhaps that which is used for military applications—which demands greater scrutiny and vigilance on the part of security professionals.
