When IoT Can literally Kill You: Network-connected Pumps Vulnerable to Hacking
The medical device industry is increasingly integrating their devices with networking capabilities, allowing them to access medical facility IT systems and allow for remote monitoring and control. While this is an incredible innovation in medical technology, it also comes with an increased risk of exploitation.
The US Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) issued a warning that a popular brand of network-connected medicine dosing machines (machines that deliver small doses of medicine) have eight security vulnerabilities allowing unauthorized users to execute arbitrary code, change dosing information, or even crash the device. Smiths Medical, which manufactures the affected Medfusion 4000 wireless syringe infusion pump, acknowledged the vulnerabilities and have since released software updates to address the vulnerabilities.
"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”
The eight vulnerabilities:
Buffer copy without input size checking – classic buffer overflow that will allow the execution of arbitrary code
Out-of-bounds read – Causes the communications module of the pump to crash
Use of hard-coded credentials to access wireless network– Allows an attacker to set up a rogue wireless network to intercept traffic coming from the pump and control the pump remotely
Use of hard-coded Telnet password – An attacker can access the pump over Telnet with a hard-coded password
No authentication for FTP server – Allows an attacker to access the file system on the pump without a username or password
Use of hard-coded FTP credentials – Even though the FTP server does not require authentication, hard-coded credentials still exist on the device
No certificate validation – Subjects the pump to Man-in-the-Middle attacks
Passwords stored in cleartext on device – Passwords are not hashed or encrypted and vulnerable to theft using any of the previously mentioned unauthorized access methods
These vulnerabilities were responsibly disclosed to Smiths Medical in September and a software update was release this week. As hospitals and medical facilities go through a digital transformation, such as the requirement to make all medical records available in an electronic format, IT and security professionals are facing unprecedented pressure to transform and implement the proper security controls in parallel in order to protect their patients. Attempting to secure a medical device that was not built in a secure manor is like trying to protect a building with a screen door. Medical devices must be both developed and implemented in a secure fashion.
All proper network security defensive measures can help mitigate a potential attack such as assigning static IP addresses, monitoring network activity for rogue DNS and DHCP servers, ensuring the devices are segmented from the network, network segmentation using VLANs, and applying industry best-practice password hygiene.
No known attacks have been known to exploit these vulnerabilities at the time of writing.