{"id":8650,"date":"2015-05-12T12:55:51","date_gmt":"2015-05-12T16:55:51","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/?p=8650"},"modified":"2019-11-15T13:58:58","modified_gmt":"2019-11-15T11:58:58","slug":"drug-pump-security-bugs","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/drug-pump-security-bugs\/8650\/","title":{"rendered":"Critical Security Vulnerabilities in Drug Injection Pumps"},"content":{"rendered":"

In yet another example of smart medical device insecurity<\/a>, it has emerged recently that a line of Hospira drug pumps are exposed to a series of remotely exploitable vulnerabilities that could allow an attacker to take complete control of affected pumps or simply render them useless.<\/p>\n

These drug infusion pumps are part of the new wave of smart and connected medical devices. As we\u2019ve written here before, particularly with regard to high-tech insulin pumps<\/a>, smart medical devices essentially remove the risk of human error for people requiring the chronic administration of drugs. Unfortunately, many of the companies developing these devices have repeatedly demonstrated a complete disregard for security.<\/p>\n

It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo<\/div>\n

Hospira\u2019s Lifecare PCA Drug Infusion pumps are so vulnerable, in fact, security researcher Jeremy Richards said, they were the least secure IP-enabled device he had ever worked with. Richards says a remote attacker could render impacted devices utterly useless, a process known popularly as bricking.<\/p>\n

\u201cIt is not only susceptible to attack,\u201d Richards wrote, \u201cit is so poorly programmed it can be rendered a useless brick with a single typo.\u201d<\/p>\n

He claims potential attackers could also update device software, run commands, and manipulate the drug-specific libraries that correspond with barcodes printed onto vials containing critical dosage and other information.<\/p>\n

Interestingly, not one, but two researchers discovered the drug injection bugs independently. First Billy Rios, who\u2019s known for having hacked airport security<\/a>, carwash<\/a> and home automation systems<\/a>.<\/p>\n

\n

A security flaw in a widely used IV pump lets hackers raise drug-dosage limits http:\/\/t.co\/8FuMz23ngG<\/a><\/p>\n

\u2014 WIRED (@WIRED) April 10, 2015<\/a><\/p><\/blockquote>\n