Internet-connected hospital drug pumps vulnerable to remote lethal-dose attacks

Researcher Billy Rios (previously) has extended his work on vulnerabilities in hospital drug pumps, discovering a means by which their firmware can be remotely overwritten with new code that can result in lethal overdoses for patients.

The pumps are vulnerable because, like many embedded/Internet of Things devices, they don't check new firmware for signatures from the manufacturer.

The companies whose products Rios analyzed are in denial about their mistakes. Hospira, who have at least 325,000 vulnerable Plum A+ models in hospitals worldwide (and unknown numbers of other vulnerable models), insist that they are invulnerable because the devices' communications modules are physically isolated from the pumps' circuitry. But although these two functions are separated on two physical boards, these boards are connected by a serial cable that allows them to talk to each other, and the pumps do not validate the firmware their receive from the communications modules.

Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company “didn’t believe it could be done.” Hospira insisted there was “separation” between the communications module and the circuit board that would make this impossible. Rios says technically there is physical separation between the two. But the serial cable provides a bridge to jump from one to the other.

An attacker wouldn't need physical access to the pump because the communication modules are connected to hospital networks, which are in turn connected to the Internet.

“From an architecture standpoint, it looks like these two modules are separated,” he says. “But when you open the device up, you can see they’re actually connected with a serial cable, and they’re connected in a way that you can actually change the core software on the pump.”

An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns.

Hospira knows this, he says, because this is how it delivers firmware updates to its pumps. Yet despite this, he says, the company insists that “the separation makes it so you can’t hurt someone. So we’re going to develop a proof-of-concept that proves that’s not true.”

Hacker Can Send Fatal Dose to Hospital Drug Pumps [Kim Zetter/Wired]