'Smart' Hospital IV Pump Vulnerable To Remote Hack Attack
from the killed-by-apathy dept
By this point, the half-baked security in most internet of things devices has become a bit of a running joke, leading to amusing Twitter accounts like Internet of Shit that highlight the sordid depth of this particular apathy rabbit hole. And while refrigerators leaking your gmail credentials and tea kettles that expose your home networks are entertaining in their own way, it's easy to lose sight of the fact that the same half-assed security in the IOT space also exists on most home routers, your car, your pacemaker, and countless other essential devices and services your life may depend on.
The lack of security in the medical front is particularly alarming. The latest case in point: security researchers have discovered eight vulnerabilities in a syringe infusion pump used by hospitals to help administer medication to patients intravenously. The flaws in the Medifusion 4000 infusion pump, manufactured by UK medical multinational Smiths Group, were discovered by security researcher Scott Gayou. The device is utilized to deliver medications, blood, antibiotics and other fluids to critical care patients, patients undergoing surgery (anesthesia) -- and newborn babies.
The flaws were severe enough to warrant a new warning from the Department of Homeland Security, which issued an advisory that, like similar past advisories, rather downplays the fact these flaws could be utilized by a skilled hacker to kill somebody covertly:
"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage."
Both the FDA and DHS have ramped up the attention they're giving such vulnerabilities, recently having issued similar first ever warnings about flaws in pacemakers by St. Jude Medical, which can be similarly abused to kill patients. And while this is all wonderful news if you're a wetworker operating in an environment where such flaws take years to discover much less fix, it's decidedly less fun for the companies being criticized for half-assed security measures. In most cases, the companies impacted make it their top priority to downplay the risks involved, as the Smiths Group did in its statement on the vulnerabilities:
The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.
Except six of the vulnerabilities in question simply involve the use of hard-coded credentials, the same problem that has plagued the home router market for years. For its part, Smiths says it's working hard to implement a fix for the flaws -- that might be released in January 2018. In the interim Smiths is urging hospitals to assess the risk, change the default login credentials, and disconnect these devices from the network where necessary. But considering the low quality of IT support in most hospitals (a major reason for a massive spike in hospital ransomware attacks) -- there's certainly no guarantee of any of these mitigation measures actually happening.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, health, iot, iv pump, security, smart devices
Reader Comments
Subscribe: RSS
View by: Time | Thread
Good News!
[ link to this | view in thread ]
Because we had to make nice to get the company to even make an announcement, because we have no powers to actually punish them.
Are we just tacitly waiting for the bodycount?
Are coroners now creating a forensics team capable of probing implanted medical devices?
Is the "science" that embraced teeth marks capable of crawling code?
This isn't the first, second, third, fourth, fifth, etc. time something like this has been found. I guess letting the industry self regulate isn't working out very well for sick people.
We accept them downplaying the problems & covering it with you need to be a skilled hacker. Hackers don't run around in black hoodies wearing gloves and sunglasses all the time. They are everywhere. Just because a "white hat" found & disclosed something doesn't mean they were the only one looking. They weren't the one looking, who informed people, and then most likely had to go public to get them to even admit the crap is flawed.
We have entire business models based on getting 0-day flaws, who are willing to sell phone tracking so dissidents can be murdered... think they would turn their noses up at medical hacks? Wanna buy a bridge in Brooklyn? They will tell you they would never do that, while trying to hide the multitude of broken promises and violations of laws because making money is more important that if the targets gonna end up dead.
This is just yet another real cyber problem that is getting none of the focus, as we pour hundreds of billions into tanks, bullets, planes... but expect the infrastructure industries are gonna secure everything on their own with no real help.
[ link to this | view in thread ]
Re: Good News!
[ link to this | view in thread ]
[ link to this | view in thread ]
Perhaps this is a feature rather than bad security.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
The medical device can have a full function OS, but with no network connection, except via the attached microcontroller, which can appear as a write only device. That is lets avoid connecting a full operating systems network stack to the network, eliminating a large attack surface, and instead use a a more controllable interface and device where is the network connected device is compromised, logging can be shutdown, but the operation of the medical device is not compromised.
When human lives are at stake, a full function network interface is the wrong way to go, because even if used in the same fashion as the microcontroller, it is could be used to host malware to attack the rest of the hospital system. The Microcontroller Interface is more easily audited, and with a suitable device and setup, its software can only be changed via physical access and a JTAG or similar programmer.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
And yet they are already deep within your motor vehicle innards. And do not tell me that is different, auto deaths used to be the number one killer.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
We know, thanks.
Which doesn't mean you don't understand their risks, which are multiple. Networked pump operation exploited by vulnerabilities like the ones in the advisory isn't even on the first page of the list. That's partially because the most obvious mitigation, which is not connecting the pump to a network, is also the default state in most hospitals.
Good system design treats pumps and other Class 3 medical devices as foreign entities that should never be fully trusted on the network. Their design cannot be externally validated (although the FDA requires extensive internal validation) and poor network component design is a historic hallmark of the things. They are also ridiculously slow to receive updates, preserving zero-days for years. For that reason, physical AND logical segmentation is the order of the day, and wireless capabilities are an extraordinarily bad idea (given that pumps sort of have to be connected to the patient and to power, they're also mostly unnecessary). Pumps belong in isolated network segments with monitored gateways, no direct external access in or out, and strict behavioral triggering. Absent that, they belong off the network entirely.
We knew all that long before this advisory. And although "hospital IT support" is an easy target for derision, the organization I work with, like a lot of health care IT organizations these days, has substantial effort and time devoted to just this issue, and a lot of incredibly bright minds thinking about safety and reliability in a world of crap built by Microsoft and Apple. (And, yes, by device manufacturers who put hard-coded FTP server credentials on their IV pumps for no apparent reason. Sigh.)
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Why aren't the networks separate?
[ link to this | view in thread ]
Best Orthopaedic Hospital in Champapet
Nice Article,
Thank You for your valuable word..
This article is very helpful, as well as if you want more information about ORTHOPEDIC Please click here
<a href="https://onushospitals.com/">Best Orthopaedic Hospital in Champapet
</a>
[ link to this | view in thread ]
ONUS Hospitals
Nice Article,
Thank You for your valuable word..
This article is very helpful, as well as if you want more information about ORTHOPEDIC Please click here
https://onushospitals.com
[ link to this | view in thread ]