When an independent security researcher identified a critical vulnerability earlier this year in popular drug infusion pumps that hundreds of thousands of hospitals use, he identified hackers could raise the dosage limit patients received, allowing a to remotely kill a victim in the hospital.
However, the attack wasn’t as cut and dry as it seems, the researcher, Billy Rios, found that he couldn’t direct the pump to infuse the dose, but could instead alter the numbers on the medical pump meter, meaning nurses or other medical officials could up victims to a deadly dosage the hacker set. The vulnerability caught headlines, but was far less alarming than if you could actually hack into the pump and administer the dosage yourself.
Sadly that day has come, as Rios has now identified far more serious vulnerabilities in the drug pumps made by the same manufacturer, which would allow a hacker to remotely increase or decrease the dosage patients receive, allowing a hacker to administer a fatal dose to victims.
The critical vulnerability identified currently affects at least five models of drug pump made by Hospira, an Illinois firm with some 400,000 drug pumps installed in hospitals around the world. Rios said he has been able to identify a number of vulnerable pumps, but due to the vast amount, he does not have the ability to personally test them all.
Earlier in the year, Rios had went public with information about a number of security issues with Hospira’s LifeCare pumps, but no one was expecting the vulnerability to be this critical.
Rio’s past disclosure involved the drug libraries used within the pump, which allows the device to increase and decrease the boundaries for dosages. Because the libraries don’t require any form of authentication, Rios found that anyone on the hospital’s network, including patients, can load an entirely new drug library that would alter the dosage limit for the drug.
When Rios went public with the old vulnerability he had yet to find any vulnerabilities linked to the pump that would allow a hacker to administer their own dosage. Rios has since identified far more critical vulnerabilities in the LifeCare pumps which he had reported to Hospira and the FDA last year. This was before he was able to test the Plum A+ pump, one of the many devices plagued with the severe vulnerability.
Fast forward a few months and Rios has since identified a set of new vulnerabilities that could allow an attacker to remotely alter the firmware pre-loaded on the pumps, giving them complete control over the devices with the ability to alter dosages patients receive. Due to the pumps being vulnerable to the old library vulnerability he disclosed, an attacker could first raise the dosage above the maximum limit before delivering it to a patient, making the vulnerabilities far more serious. The pump issues no type of alert to staff or anyone in the hospital even if the dosage is known to be highly fatal.
Hackers could even alter the the pump to say the dosage is completely safe, even though it’s the exact opposite.
How the Firmware Security Bug Works
The firmware bug lies within a communication module in LifeCare and Pump A+ pumps. Such models are used by staffers to update the libraries on the pumps. According to Rios, the communication modules are connected via a serial cable to a circuit board in the pumps, which is where the firmware is stored. The company uses the serial cable to remotely access the firmware and update it, just as a hacker can.
The firmware flaw could be easily mitigated if Hospira pumps only accepted legitimate firmware updates that were authorized and digitally signed by the company. However, the pump will accept any update, regardless of who or where it’s from.
Hacking into a drug infusion pump may not be that easy as an attacker must know how to perform a firmware update, but Rios said it didn’t take him all that long to learn.
According to Rios, when reporting the vulnerability to Hospira last year, saying that hackers could override the firmware on its own pumps, the company denied all claims and “didn’t believe it could be done.” Hospira claimed there was a “separator” present between the module and circuit board making this type of attack impossible. Rios has said that yes there is physical separation between the cables, but the serial cable acts as a bridge to jump from one to the other.
“You can talk to that communication module over the network or over a wireless network,” Rios warned.
Hospira knows this, he told Wired, because this is how the company delivers firmware updates to their own drug infusion pumps. Despite evidence, the company claims that “the separation makes it so you can’t hurt someone. So we’re going to develop a proof-of-concept that proves that’s not true.”
When Rios contacted Hospira a year ago, the company was insistent that the vulnerability did not stretch beyond the first pump, but to prove them wrong, Rios bought several other pumps and identified they were also vulnerable.
However, the drug pump hack did receive some light, as the FDA issued an alert on the firmware security flaw, though only in reference to two pumps. The alert didn’t mention other models which could lead hospitals to believe their drug pumps are not at risk.
Following the FDA release, Rios contacted the agency to tell them that the vulnerability extended to several other pumps as well. The agency asked Rios to keep the information on hold from the public til Hospira could issue a patch, but Rios declined, saying Hospira has known of the vulnerability for over a year. Hospitals drug infusion pumps are putting the patients at risk, he added.
Medical gear is starting to become more and more vulnerable as it’s becoming Internet-connected, just last month a set of researchers identified that an artificial kidney could be hacked to administer severe dosages while active inside another persons body. Medical manufactures needs to start enhancing their cyber security defense soon or millions of lives could be at risk.