Researcher: Drug Pump the ‘Least Secure IP Device I’ve Ever Seen’

Hospira LifeCare  PCA 3 infusion pumps were found to contain a number of serious security holes that could give an attacker control over the devices.
Hospira LifeCare PCA 3 infusion pumps were found to contain a number of serious security holes that could give an attacker control over the devices.

In-brief: A researcher studying the workings of a wireless-enabled drug infusion pump by the firm Hospira said the device utterly lacked security controls, making it “the least secure IP enabled device” he had ever worked with. His research prompted a warning from the Department of Homeland Security. 

The warning (CVE-2015-3459), which DHS rated “10 out of 10” for severity is just the latest involving serious software flaws in Hospira infusion pumps and could allow someone with physical access to a Hospira LifeCare PCA 3 model pump and minimal technical knowledge to gain total control over the device. The quantity and severity of the flaws prompted the researcher who discovered them, Jeremy Richards, to call the PCA 3 pump “the least secure IP enabled device” he has ever worked with.

Hospira did not respond to requests for comment prior to publication.

Richards told Security Ledger that he purchased a PCA 3 pump for the purposes of research off of eBay in November. He said the PCA is an older model infusion pump, though it is still offered on the Hospira web site. An update, the Plum Infusion System contains many of the same features – but was more expensive to buy second-hand, Richards said. “This research was funded with my own money, so I went with the less expensive option,” said Richards, an independent security researcher who lives in Toronto, Canada.

[Read more Security Ledger coverage of issues with connected medical devicess here.]

What he found was shocking. Among other things, Richards noted that the device was listening on Telnet port 23. Connecting to the device, he was brought immediately to a root shell account that gave him total, administrator level access to the pump.

“The only thing I needed to get in was an interest in the pump,” he said.

Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump’s operation using fairly simple commands.

The PCA pump also stored wireless keys used to connect to the local wireless network in plain text on the device. That means anyone with physical access to the Pump could gain access to the local medical device network and other devices on it. Furthermore, if pumps are not properly wiped prior to being sold, those keys may be transmitted to unknown buyers on the second-hand market, Richards warned.

Like other medical devices that independent security researchers have looked at, Richards said the Hospira LifeCare pump did not validate the authenticity of firmware updates prior to installing them – a common problem in the medical device sector. 

Richards said he did not make an effort to contact Hospira, but did relate his findings to the researcher Billy Rios, who has been communicating with the company.

He acknowledged that it might be possible to update the devices to require a Telnet or FTP password, or to set a password locally for the device. However, Hospira’s deployment guide does not contain any instructions for doing so. And setting a local password would not remove remote, CGI scripting attacks against the pump’s web management interface, he said.

A patch for the vulnerable devices is needed. However, Richards said it is unclear whether Hospira intends to continue supporting the PCA 3 pump.

Hospira’s MedNet software was the subject of another security warning from the Deparment of Homeland Security in March.

DHS’s Industrial Control System Computer Emergency Response Team (ICS-CERT) said in an advisory on March 31 that the MedNet software contains four, critical vulnerabilities that could allow a malicious actor to run malicious code on and take control of the MedNet servers, which could be used to distribute unauthorized modifications to medication libraries and pump configurations.

Richards research echoes Rios’s findings, which included a hard-coded password for the SQL database used by the MedNet software and a reliance on vulnerable versions of the JBoss Enterprise Application Platform software. That software could allow unauthenticated users to execute arbitrary code on the target system.

Of course, any attack on a vulnerable Hospira pump would first require the attacker to have physical access to the device or to defeat or circumvent the security of the hospital’s perimeter and gain access to the internal hospital network. From there, they would need to be able to identify the PCA devices on the wireless network, though that is not difficult to do.

Like other organizations, hospitals deploy firewalls, intrusion detection system software and other security products to protect their networks.

Infusion pumps are a special area of concern as hospital networks begin to more closely resemble traditional enterprise IT environments. Specifically: security experts warn that software vulnerabilities that seemed like remote threats when equipment was shunted off onto proprietary medical device networks might be exposed to a wider range of threats and actors – with potentially deadly consequences. The National Institute of Standards and Technology in December released an example of a reference document for securing wireless drug infusion pumps that was meant to be the first in a series of similar documents to provide guidance from the U.S. government for securing connected medical devices.

Also, the Food and Drug Administration (FDA) last year warned medical device makers to pay more attention to the security of their products.