Smart pumps used by hospitals in IV drips vulnerable to attacks

Share on Twitter
Share on Google+
Share on LinkedIn
Share on Reddit

Syringe pumps – those beeping boxes affixed to the pole in a hospital IV drip – have flaws that could be exploited by hackers to change the dosages being delivered to patients.
Researcher Scott Gayou found eight separate flaws in three versions of the MedFusion 4000 pump made by Smiths Medical, a division of the British multinational Smiths Group.
Hospital staff use syringe pumps to deliver precise amounts of fluids to patients, be they adults or newborn infants: the anaesthesia that keeps patients unconscious during surgery, for example, as well as drugs, blood, antibiotics, or other critical fluids.
Gayou’s discovery prompted the Department of Homeland Security (DHS) to issue an advisory warning last week.
DHS, or, rather, its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), said in the advisory that successful exploitation of the vulnerabilities could allow a remote attacker to gain unauthorized access to the pumps, their communications and their operation:
Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.
Sophos Home
Free home computer security software for all the family
Learn More
In a letter to customers that acknowledged the flaws, Smith Medical on Thursday downplayed the likelihood of a successful exploit:
The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions.
DHS’s alert detailed the vulnerabilities, which include a classic buffer overflow caused by a third-party pump component that fails to verify input buffer size prior to copying. Given that the pump receives this type of potentially malicious input infrequently, and under certain conditions, that one’s tough to exploit.
Also on the list of vulnerabilities are hard-coded credentials in a few spots; an FTP server on the pump that doesn’t require authentication if the pump is configured to allow FTP connections; storage of some passwords in the configuration file that are accessible if the pump is configured to allow external communications, and more.
Buffer overflows? Hard-coded credentials? If those sound familiar, they should: the vulnerabilities leave the devices open to well-known attacks, given that they don’t do much to check to see who’s connecting to them and don’t do a very good job of sanitizing any commands they receive.
That’s unnerving: these syringe pumps are used on all manner of patients, including on neonatal wards to treat premature babies. Precision in drug delivery via these pumps is crucial. When they work the way they’re supposed to – as they do in hospitals with reliable electricity to keep them running, as opposed to the mechanical pumps used in developing countries that have high dosing error rates – they can administer drugs in consistent, tiny amounts that are impossible for human nurses to achieve.
There’s no known exploit that’s occurred in the wild. Smiths Medical says it will release fixes in Version 1.6.1 for the Medfusion 4000 syringe infusion pumps in January 2018.
In the meantime, the company released mitigation protocols in the ICS-CERT advisory that it says will protect against exploit. Some of those steps include further segregation of the devices from other parts of hospitals’ networks, assigning the devices static IP addresses, routine backups, and other pieces of advice that come straight out of the typical good-password handbook:
Apply proper password hygiene standards across systems (ie, use uppercase, lowercase, special characters, and a minimum character length of eight).
Do not re-use passwords.
We can help with No. 1 for sure: here’s a short, sweet, straight-talking video that not only shows you how to pick a proper password, but also explains why you should bother.
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)
As far as password reuse goes, there’s an ever-swelling list of stories about people’s accounts getting broken into because crooks found a password, then simply tried the credential out on any other site they could think of, be it on Netflix, Amazon, LinkedIn, Facebook, or National Lottery accounts.
But those stories pale in comparison to the possibility that password reuse could lead to a fatal overdose or underdose. Kudos and our thanks go to Scott Gayou for finding these flaws before harm could be done.


威马与360共同研发汽车信息安全解决方案 首款量产车100%联网
网络安全法普法宣传 004《网络安全法》的突出亮点
iPhone X配置售价汇总 10000块的iPhone X你买不买?

Monday review – the hot 25 stories of the week

Share on Twitter

Share on Google+
Share on LinkedIn
Share on Reddit
Get yourself up to date with everything we've written in the last seven days – it's weekly roundup time.
Monday 4 September 2017
News in brief: Pratchett’s data steamrollered; WikiLeaks hit by hackers; Instagram details for sale
Lawyer suggests tying access to encryption to verified ID
Security-focused phone launches crowdfunding drive
Tempted to join the games in the crytpcurrency playground?
Tuesday 5 September 2017
News in brief: veterans among S3 leak victims; court rules on email privacy; man jailed for VPN sales
London police’s use of facial recognition falls flat on its face
Would-be cyberattackers caught by malware with a sting in the tail
Yahoo! braces itself for enormous class-action suit over breaches
Wednesday 6 September 2017
News in brief: Warning over Bitcoin scam app; Samsung facial recognition bypassed; Apple squares up to India
Lenovo settles lawsuits with 32 states over Superfish
Apache Struts “serialisation” vulnerability – what you need to know
Fur flies over Android bootloader flaws: here’s what you need to know
Why some gift cards are still a gift to hackers
Thursday 7 September 2017
News in brief: hacker fail; voting fail; Twitter fail
Heading off to university? Watch out for phishing scams
Unsecured databases are (still) the low-hanging fruit of the internet
Thought you’d blocked a Twitter user? Here’s how they can still dogpile you
What’s under the hood of the new Brave browser?
Friday 8 September 2017
News in brief: Uber faces FBI probe; Samsung offers bug bounties; ‘Humpty Dumpty’ hackers jailed
Equifax: highlighting the problems with social security numbers
Learning from the Equifax breach [VIDEO]
Orfox app brings Tor’s security slider to Android
Your voice assistant can hear things you can’t – such as a hacker
Equifax data breach defense: freezing your credit file
Sunday 10 September 2017
Equifax: woeful PINs put frozen credit files at risk
Watch our latest video
(Can’t see the video directly above this line? Watch on Facebook instead.)
News, straight to your inbox
Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don't miss anything. You can easily unsubscribe if you decide you no longer want it.


网络安全法宣传片 002 国家网络安全的现状与重要性概述