Thursday, May 07, 2015
All your drug pumps are belong to us
The US Department of Homeland Security has issued a warning via the National Vulnerability Database after a security researcher described an internet-connected drug infusion pump manufactured by Hospira as "literally the least secure IP enabled device I've ever touched in my life." The warning, which scored a low on access complexity scale (meaning it was easily exploitable across the network) gained a maximum 10 out of 10 for both severity and impact according to the vulnerability summary. The Hospira Lifecare PCA3 infusion pump, running software version 412, was discovered not to require any authentication for Telnet sessions making it easy for any remote attacker coming in via TCP port 23 to gain root privileges. The wireless encryption keys were apparently stored in plain text on the device, so anyone with physical access (such as a patient) could then access the 'Life Critical Network' responsible for administering the dosage. Unfortunately, that means the attacker would then have access to all the drug pumps connected to that network across the hospital.