Hackers Could Up Medication Doses Through Infusion Pump Flaws
From pacemakers and insulin pumps to mammography machines, ultrasounds, and monitors, a dizzying array of medical devices have been found to contain worrying security vulnerabilities. The latest addition to that ignoble lineup is a popular infusion pump and dock, the B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation, that a determined hacker could manipulate to administer a double dose of medication to victims.
Infusion pumps automate delivery of medications and nutrients into patients’ bodies, typically from a bag of intravenous fluids. They are particularly useful for administering very small or otherwise nuanced doses of medication without errors, but that means the stakes are high when problems do arise. Between 2005 and 2009, for example, the FDA received roughly 56,000 reports of “adverse events” related to infusion pumps “including numerous injuries and deaths,” and the agency subsequently cracked down on infusion pump safety in 2010. As a result, products like the B. Braun Infusomat Space Large Volume Pump are extremely locked down at the software level; it’s supposed to be impossible to send the devices commands directly. But researchers from the security firm McAfee Enterprise ultimately found ways to get around this barrier.
“We pulled on every thread we could and ultimately we found the worst-case scenario,” says Steve Povolny, head of McAfee’s Advanced Threat Research group. “As an attacker, you should not be able to move back and forth from the SpaceStation to the actual pump operating system, so breaking that security boundary and getting access to be able to interact between those two—it’s a real problem. We showed that we could double the rate of flow.”
The researchers found that an attacker with access to a health care facility’s network could take control of a SpaceStation by exploiting a common connectivity vulnerability. From there they could exploit four other flaws in sequence to send the medication-doubling command. The full attack isn’t simple to carry out in practice and requires that first foothold in a medical facility’s network.
“Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of the Space or compactplus communication devices,” B. Braun wrote in a security alert to customers, “allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.” The company further acknowledged that a hacker could change the connected infusion pump’s configuration, and with it the rate of infusions.
The company said in the notification that using the latest versions of its software released in October is the best way to keep devices secure. It also recommends that customers implement other network security mitigations like segmentation and multifactor authentication.
B. Braun added in a statement to WIRED that the vulnerabilities are “tied to a small number of devices utilizing older versions of B. Braun software” and that the company has not seen evidence that the vulnerabilities have been exploited.
“We strongly disagree with McAfee’s characterization in its post that this is a ‘realistic scenario’ in which patient safety is at risk,” the company added in its statement.
The McAfee researchers note, though, that most of the bugs haven’t actually been patched in existing products. B. Braun, they say, has simply removed the vulnerable networking feature in the new version of its SpaceStations.
Once hackers gain control of the SpaceStation by exploiting the first network bug, the hack plays out by combining four vulnerabilities that all relate to lack of access controls between the SpaceStation and a pump. The researchers found specific commands and conditions in which the pumps don’t adequately verify the integrity of data or authenticate commands sent from the SpaceStation. They also discovered that the lack of upload restrictions allowed them to taint a device backup with a malicious file, and then restore from the backup to get malware onto a pump. And they noticed that the devices send some data back and forth in plaintext without encryption, exposing it to interception or manipulation.