|
Mostly_Harmless
wyrd bið ful aræd



Registered: 05/12/09
Posts: 5,043
Loc: Perfidious Albion
|
Hacker Can Send Fatal Dose to Hospital Drug Pumps 1
#21781316 - 06/08/15 11:37 PM (8 years, 7 months ago) |
|
|
http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/
Quote:
06.08.15
 Hospira's drug infusion pumps include a serial cable (the wide grayish-white cable with the single red stripe on one edge) that connects the communications module to the main pump board.
When security researcher Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern.
Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn’t issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself.
Now Rios says he’s found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient.
“This is the first time we know we can change the dosage,” Rios told WIRED.
The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira—an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.
The vulnerable models include the company’s standard PCA LifeCare pumps; its PCA3 LifeCare and PCA5 LifeCare pumps; its Symbiq line of pumps, which Hospira stopped selling in 2013 due to concerns raised by the FDA over other quality and safety issues with the pumps; and its Plum A+ model of pumps. Hospira has at least 325,000 of the latter model alone installed in hospitals worldwide.
These are the systems that Rios knows are vulnerable because he’s tested them. But he suspects that the company’s Plum A+3 and its Sapphire and SapphirePlus models are equally vulnerable too.
Hospira did not respond to a request for comment.
Earlier this year, Rios went public with information about a different security issue with Hospira’s LifeCare pumps.
 A Hospira Plum A+ pump, originally owned by a hospital in Pikeville, Kentucky, that Rios purchased online. Here it’s shown connected to an IV unit.
This one involved drug libraries used with the pumps, which help set upper and lower boundaries for dosages of intravenous drugs a pump can safely administer. Because the libraries don’t require authentication, Rios found that anyone on the hospital’s network—including patients in the hospital or a hacker accessing the pumps over the Internet—can load a new drug library that alters the limits for a drug.
At the time he publicly disclosed the library vulnerability, Rios told WIRED that he had not yet found any vulnerabilities that would allow him to actually alter a drug dosage, though he was working on it. But he now acknowledges that he had found these more serious vulnerabilities in the LifeCare pumps at the time and had in fact reported them to Hospira and the FDA last year. At the time he hadn’t yet tested a Plum A+ pump, however.
The new vulnerabilities would allow attackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. And because the pumps are also vulnerable to the previous library vulnerability he disclosed, an attacker would be able to first raise the dosage above the maximum limit before delivering a potentially deadly dosage without the pump issuing an alert.
How the Firmware Security Flaw Works
The problem lies with a communication module in the LifeCare and Plum A+ pumps. Hospitals use the communication modules to update the libraries on the pumps. But the communication modules are connected via a serial cable to a circuit board in the pumps, which contains the firmware. Hospira uses this serial connection to remotely access the firmware and update it. But hackers can use it for the same purpose.
The serial connection would be less of a concern if Hospira’s pumps accepted only legitimate firmware updates that were authenticated and digitally signed. But Rios says they’ll accept any update, which means anyone can alter the software on the pumps.
“And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios says.
A hacker could not only change the dosage of drugs delivered to a patient but also alter the pump’s display screen to indicate a safe dosage was being delivered.
The compromise of the communication module and serial cable doesn’t automatically mean a compromise of the pump. An attacker needs to know how to perform a firmware update. But Rios says it didn’t take him long to figure it out.
 The Plum A plus communications module board
Hospira Denied Problem With Pumps
Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company “didn’t believe it could be done.” Hospira insisted there was “separation” between the communications module and the circuit board that would make this impossible. Rios says technically there is physical separation between the two. But the serial cable provides a bridge to jump from one to the other.
“From an architecture standpoint, it looks like these two modules are separated,” he says. “But when you open the device up, you can see they’re actually connected with a serial cable, and they’re connected in a way that you can actually change the core software on the pump.”
An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns.
Hospira knows this, he says, because this is how it delivers firmware updates to its pumps. Yet despite this, he says, the company insists that “the separation makes it so you can’t hurt someone. So we’re going to develop a proof-of-concept that proves that’s not true.”
He plans to demonstrate a proof-of-concept attack next month at the SummerCon security conference in Brooklyn, New York.
Rios says when he warned Hospira a year ago about the firmware problem in its LifeCare pumps, he advised the company to perform what’s called a variant analysis to determine if its other models of pumps were affected as well, but the company refused, saying the problem was confined to the LifeCare line. To prove Hospira wrong, Rios purchased and tested one of the company’s Plum A+ drug pumps and found that it had the same firmware issue.
Last month, the FDA issued an alert about the firmware issue, but only in reference to Hospira’s LifeCare PCA3 and PCA5 pumps. The alert didn’t mention the other models, which could lead hospitals to believe they don’t have a security risk.
Rios contacted the FDA last week to tell the agency that the vulnerability extended to Hospira’s Plum A+ line as well, but he says the federal agency asked him to withhold the finding from the public until Hospira had time to verify the issue. But Rios declined, saying Hospira had already had a year to test the Plum A+ pumps and determine if the problem extended to them, but had declined to do so. He said hospitals needed to know now that the pumps are putting patients at risk.
The FDA did not respond to a request for comment.
Rios is planning to obtain models from Hospira’s Sapphire line of pumps as well to prove that they’re equally vulnerable to the issue.
|
LuSiD enthusiast
Stranger

Registered: 03/14/13
Posts: 4,325
Last seen: 4 years, 9 months
|
Re: Hacker Can Send Fatal Dose to Hospital Drug Pumps [Re: Mostly_Harmless]
#21781394 - 06/09/15 12:17 AM (8 years, 7 months ago) |
|
|
If hollywood has taught me anything, its that hackers can do anything they want, with the stroke of a few keys, and some made up sciency words.
Dont fuck with hackers.
-------------------- I'm addicted to coke, weed, booze, ludes and speed. Not LSD, you can't get addicted to LSD, it was built by scientists. I ain't got no demons that gonna get woke. In erowid we trust. Just take your damn pills and don't ask any questions, you'll be fine.
|
foodsgoodtoo
FPSnosurrender



Registered: 02/13/09
Posts: 3,720
|
Re: Hacker Can Send Fatal Dose to Hospital Drug Pumps [Re: LuSiD enthusiast]
#21781497 - 06/09/15 01:29 AM (8 years, 7 months ago) |
|
|
didnt know that about hospice
|
lessismore
Registered: 02/10/13
Posts: 6,268
|
Re: Hacker Can Send Fatal Dose to Hospital Drug Pumps [Re: foodsgoodtoo]
#21781520 - 06/09/15 01:44 AM (8 years, 7 months ago) |
|
|
Hackers can send a swat team to your house, more specifically 9 year old IRC hackers
Hackers can hack your DMV and get free motor license
Hackers can take down fbi.gov or edit its site, happens regularly
Hackers can make their own visacards and write them with a machine - from stolen cc numbers they trade online for $2 each or so
$2 to become very rich
the possibility of being discovered is very small (cops dont have time to bust single cc hackers)
unless you do it big scale, you steal 10.000 ccs and use them all to your home
most cc hackers dont get busted, there is a huge cc hacker scene
cc hackers get their stolen creditcards from people's pcs when they type them in, most people use windows today and earlier, and they are never secure any windows pc is insecure, in fact most of them got trojan horses on them in the background so the hacker can do anything they want with 10-20% of all windows pcs out there today - they're infected on botnets
hackers can make you appear deceased, hack your death certificate
hackers can hire hitmen
hackers can get a fake id no prob, they can be anyone they want, your neighbor or your co employee (change identity for $200)
don't mess with them, they're the electron cowboys ;-)
|
lessismore
Registered: 02/10/13
Posts: 6,268
|
Re: Hacker Can Send Fatal Dose to Hospital Drug Pumps [Re: lessismore]
#21781534 - 06/09/15 01:51 AM (8 years, 7 months ago) |
|
|
Btw if you like hacking movies I can recommend Hackers - Takedown , much more realistic than the original hackers ;-) , but maybe not as fun lol
That one is realistic enough it could happen in real life, actually it is about Kevin Mitnick and how he got caught
using a fake cell tower, beware which tower you hook up to when you hack wirelessly ;-)
|
Drumdude27
Millennial Hippy



Registered: 03/22/13
Posts: 563
Last seen: 4 months, 5 days
|
Re: Hacker Can Send Fatal Dose to Hospital Drug Pumps [Re: lessismore]
#21782629 - 06/09/15 10:32 AM (8 years, 7 months ago) |
|
|
As if hospitals didn't cause people enough anxiety. Seriously though, us tech nerds will always find a way
--------------------
Random acts of Shroomery kindness Drumdude27 said: Don't make me get the FemNazis involved guys. 420th post. No regrets. Only joy.
|
|