Hacking Drug Infusion Pumps, never so easy

Certain versions of common drug infusion pumps are affected by numerous remotely exploitable vulnerabilities that could not open the doors to hackers.

We discussed several times about the opportunity to hack medical devices and the needs of security by design for these objects. In 2012 the US Government Accountability Office (GAO) published a report that highlighted the necessity to secure medical devices such as implantable cardioverter defibrillators or insulin pumps. The recommendation was directed to the Food and Drug Administration (FDA) and invited it to approach the problem seriously considering the risks of

News of the day is that a specific versions of Hospira’s Lifecare PCA3 Drug Infusion pumps are affected by a number of vulnerabilities that could be exploited by attackers remotely to completely take over the devices.

The researcher that discovered the vulnerabilities was disconcerted by the possible implication for the security of the patient.

In October 2014, the US  ICS-CERT was assessing several products, including an infusion pump from Hospira Inc and implantable heart devices commercialized by Medtronic Inc and St Jude Medical Inc. Rumors referred that in one case was involved an alleged vulnerability in a type of infusion pump discovered by the security expert Billy Rios who declined to provide the name of the manufacturer.

“Two people familiar with his research said the manufacturer was Hospira.” states the Reuters in a blog post.

The vulnerability discovered by the researcher recently could be exploited to block the device, change the drug library they’re affiliated with, run commands and update its software.

“I would personally be very concerned if this device was being attached to me,” wrote Jeremy Richards, a Software Security Engineer at the SAINT Corporation who discovered the vulnerabilities. “It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo.”

The expert discovered serious security issues in the pumps, the medical devices have the factory IP address 192.168.0.100, that could be used by an attacker to extract wireless encryption keys, which are stored in plain text on the medical device. If an attacker had physical access to the device, they could not only gain access to the keys and compromise the pump, but by extension, any drug pumps in the hospital connected to the same WiFi.

“The WPA keys for the ‘super secure’ hospital wireless network sit on these machines unencrypted and plain text.  They are stored in ‘/ram/mnt/jffs2/config’ and can be accessed over Telnet and FTP.  Since these pumps are designed to stay attached to patients local access needs to be considered.  These devices are configured to exist on a medical device network.  This also needs to be considered by hospitals selling their old equipment.” Richards added.

The problems are not limited to the single pump, if an attacker had physical access to the device, he can take over the pump and any other drug pumps in the hospital connected to its WiFi.

Richards explained that a local physical attack could be easily carried out is a few seconds through the ethernet port by using a device like the Raspberry Pi. “This is a game-over vulnerability that allows an attacker with physical access to the device complete control over their own device,” Richards wrote.

“This is a game-over vulnerability that allows an attacker with physical access to the device complete control over their own device,” Richards wrote.

One of the vulnerabilities was coded as CVE-2015-3459, it is related to the lack of authentication for Telnet sessions for pumps running SW version 412. An attacker exploiting the flaw can remotely gain root privileges via TCP port 23.

“Hospira Lifecare PCA infusion pump running “SW ver 412” does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.” states the description proposed for the flaw in the National Vulnerability Database.

There are many other security issues related to the medical devices, ill-intentioned could retrieve information related to hard coded accounts were found stored on the device. Despite this information are hashed it is quite easy to crack them by using bruteforce attacks,

.htpasswd file in /ram/mnt/jffs2/config

Admin:e6VERxIM2M1aY
hospira:Ok6EEl22j2/6w

Attackers can also glean information related to hard coded local accounts and on top of that, a server, AppWeb, that runs in tandem with the device suffers from its own separate vulnerabilities as well.

The issue is complicated by the fact that even if there was authentication present on the Telnet port, it wouldn’t help, since there are several web services, exposed CGIs “linkparams” and “xmmucgi,” that don’t require authentication which an attacker could exploit to “change the drug library, update software and run commands.”

Richards also highlighed the presence of a vulnerable web server, AppWeb server running v1.0.2, and many other web services exposed CGIs “linkparams” and “xmmucgi,” that don’t require authentication and that could be easily hacked.

Richards reported the issued to manufacturer Hospira, but it apparently has no plans to fix the issue.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  medical pumps, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]