'Medjacking' Threat Has Hospitals Alarmed

A medical device hijacking threat affecting the devices used to regulate IV feeds in hospitals has the medical community alarmed. A security researcher says that he has discovered a way for hackers to change the dosage of medications delivered by a patient's Hospira drug pump.

The security researcher, Billy Rios, had been testing several drug pumps for vulnerabilities, and discovered that, in the case of the Hospira PCA 3 Lifecare infusion pump, a hacker would be able to change the maximum level allowed for certain drugs, meaning that, if a higher dose of a particular drug was given, the device would not alert medical staff.

The devices have a "drug library" that holds information about maximum dosages for different medications; Rios had discovered that access to that library didn't have to be authenticated, and anyone on the hospital's network could load a new one, with higher maximum dosages.

This wasn't too alarming, since Rios hadn't seen any way to actually change the dosage being administered itself. But when he kept searching, he discovered that the connection that allows Hospira to access and update the device's firmware is wide open to attackers.

According to Rios, the system doesn't require authenticated and digitally signed updates, and so can be accessed by hackers to upload a faulty update. And if a hacker can update the firmware on the main board, he or she can make the pump do whatever they like—including upping the dosage flowing through the IV line.

Rios has been proactive in reporting the problems: In May 2014 had reported a series of issues to the Department of Homeland Security (and eventually the FDA) that affected the PCA 3.

However, “Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3, though the FDA published an advisory,” he said in a blog post.

Further, according to Rios, the vendor has also been disinterested in finding out how widespread the issues are. “In May of 2014, I recommended Hospira conduct an analysis to determine whether other infusion pumps within their product lines were affected,” he said. “Five months after my request for a variant analysis, I received notification that Hospira was “not interested in verifying that other pumps are vulnerable.”

After deciding to independently purchase additional pumps and perform an analysis himself, Rios discovered that the issues affect Hospira’s PCA 3 and PCA 5 Lifecare and Plum A+ Infusion Pump lines, and Symbiq (no longer sold by Hospira, but affected).

The issues include:

  • The ability to forge drug library updates to the infusion pump
  • Unauthenticated telnet shell to root to the communications module
  • Identical hardcoded credentials (service credentials) across different device lines
  • Identical private keys across different device lines
  • Identical encryption certificates across different device lines
  • A slew of outdated software (>100 different vulnerabilities)

“The lack of transparency from Hospira is certainly disappointing,” Rios said. “Given there is a public blog post, Wired article, DHS advisory, and FDA safety alert discussing the issues affecting the PCA 3, combined with the fact that the software is identical on many Hospira communication modules, I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines.”

These types of “medjacking” events are not unheard-of. Barnaby Jack of security vendor IOActive published research three years ago that showed that several vendors’ pacemakers can be remotely controlled and commanded to deliver an 830-volt shock via a laptop, thanks to software programming flaws on the part of medical device companies. That is, of course, enough to kill someone, and Jack noted that the vulnerabilities open the door to “mass murder.”

In less life-threatening but nonetheless disturbing news, TrapX found in a May 2015 report that there are extensive compromises of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA), including the use of Zeus malware and the presence of Citadel malware being used to find additional passwords within the hospital.

The FDA has been consistently on the case, warning that “As medical devices are increasingly interconnected, via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates.” In a 2013 alert, it noted that attacks “could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.”

Medjacking will only become more common, researchers agree.

“The Internet connects computers around the world, and these devices have transformed over the years,” said Lancope CTO TK Keanini, by email. “From giant systems that fill an entire room, to the Internet of Things, the internet also connects us with cyber criminals; unfortunately, you will be a target of their activities, frequently without being aware. Now that practically every device we use—from printers to thermostats to medical equipment—is connected to the Internet, the security of ‘things’ has become a scarily large topic.”

By 2020, 26 billion objects will be connected to the internet, according to Ericsson.

“Unless we can quickly adapt to the Internet of Things, the next compromise will likely be on a massive scale and could affect the most intimate levels of our lives,” Keanini said. “Today you may tend to the security of maybe several devices. However, with the Internet of Things, you will add your car, all of the home and even medical devices. We have a hard enough time updating all our current applications, now add 30 more devices from 10 different vendors and you see the problem.”

What’s Hot on Infosecurity Magazine?