back to article Infusion pump is hackable … but rumours of death are exaggerated

It's the kind of vulnerability that's tailor-made for infosec publicity: a brand of infusion pumps used to deliver drugs to patients in hospital has an open, unauthenticated Telnet port that allows an attacker access to the dosage database. Yes, it's a serious vulnerability that presumably applies as much to the pump's WiFi …

  1. Black Betty

    Dongle?

    Just how hard would it be to create a wireless to Ethernet dongle? One small enough to be practically unnoticeable without knowing what to look for. It wouldn't even have to be wireless, just preloaded with the exploit.

    Someone dressed as a nurse or doctor passing from station to station with a pocketful of these could easily compromise every pump in an infusion centre.

    1. Anonymous Coward
      Anonymous Coward

      Re: Dongle?

      The concern over someone fitting WiFi to ethernet interfaces to many infusion pumps in order is ridiculous and shows how a sensible assesment of risk is thrown out of the window when new technology is involved.

      The scenario is that a technically sophisticated attacker with physical access to many infusion pumps intent on causing a problem fits a dongle to teh ethernet port on many infusion pumps. Why does he need to do any hacking at all? There are many obvious things he could do from deliberate contamination to a malicious modification of the device. Even something as simple as mislabelling could be a serious safety issue.

      As long as an attack needs physical access and some technical sophistication I cannot get veryconcerned because almost all medical devices are intrinsically vulnerable under these circumstances and the risk is controlled as well as it reasonably can be because of the physical access requirment. At the end of the day people, especially sick people are vulnerable if someone is knowledgeable, has physical access and has the desire to cause harm. That is never going to change.

      Risk management is a key part of the design of medical devices it is pretyy much impossible to control deliberate malicous action by someone with physical access to a device. What is much more important is forseeable misuse and user errors like using the wrong cleaning materials or becoming confused about patient identity etc.

    2. sisk

      Re: Dongle?

      Someone dressed as a nurse or doctor passing from station to station with a pocketful of these could easily compromise every pump in an infusion centre.

      Wouldn't happen. Despite what you see on TV hospital staff generally know each other and will challenge a stranger who's messing with the equipment or looking at patient charts. A strange doctor or nurse going along visiting every patient is going to arouse suspicion real quick.

  2. Charles Manning

    We have hundreds of attack vectors that never get used

    There are literally hundreds of non-electronic attack vectors out there that could be used by bad people but are not, mainly because people don't generally want to walk around killing or hurting other people.

    Someone dressed as a doctor or a nurse could easily add extra chemicals/drugs to a drip.But no, we freak out about the new electronicy thing.

    This is really no different from the whole 3D printed gun freak-out session of 3 years ago. Sum total of people killed with 3D guns during the last 3 years: 0. Meanwhile zip guns built with pre-internet tools ($5 hacksaw + hammer + pliers) kill people every day.

    Nor for that matter is it much different to the recurring SARS/Bird Flu/Ebola panics. Sure these diseases get a few people, but nothing compared to the millions that die every year of boring old malaria and TB.

    We're always looking for new ways to scare the people...

    1. Paul Crawford Silver badge

      Re: We have hundreds of attack vectors that never get used

      Well said.

      But I guess there is a big difference between "local" attaches, where the person has to gain some sort of physical access, and the risks from a remote hack being used.

      While there probably are very few bad/mad enough to do this in total in the world, the risk of it being done is much higher if the perpetrator need not travel or physically risk being caught. To me that is the real issue with the whole IoT craze, not that someone who gets on my LAN can do something stupid/bad, but that suddenly any twerp anywhere in the world can take a shot at things because the devices are being exposed to the WAN, without adequate security or patching, for whatever reason the designer thought cool.

    2. Anonymous Coward
      Anonymous Coward

      Re: We have hundreds of attack vectors that never get used

      "This is really no different from the whole 3D printed gun freak-out session of 3 years ago. Sum total of people killed with 3D guns during the last 3 years: 0. Meanwhile zip guns built with pre-internet tools ($5 hacksaw + hammer + pliers) kill people every day."

      Thing is, these zip guns are usually used in low-level attacks on ordinary citizens. The big concern with the 3D printed gun was the plastic gun, one that can pass metal detectors and allow for the killing of high-profile targets. Combined with a carbon fiber casing and a ceramic slug (also nonmetallic), this has the potential for political instability, which means even the chance of it passing is enough to trigger alarm bells.

      1. sisk

        Re: We have hundreds of attack vectors that never get used

        The big concern with the 3D printed gun was the plastic gun, one that can pass metal detectors and allow for the killing of high-profile targets. Combined with a carbon fiber casing and a ceramic slug (also nonmetallic), this has the potential for political instability, which means even the chance of it passing is enough to trigger alarm bells.

        That's not what the hype was about, and even if it were the lethal range on the things is so short that the threat was already there in the form of ceramic throwing knives. Which, actually, are far deadlier than any 3D printed gun yet. If you can get close enough to reliably kill someone with a 3D printed gun then you're close enough to spit in their eye.

    3. sisk

      Re: We have hundreds of attack vectors that never get used

      Someone dressed as a doctor or a nurse could easily add extra chemicals/drugs to a drip.But no, we freak out about the new electronicy thing.

      No they couldn't because hospitals have this thing called security. The whole "put on a lab coat and walk through the hospital unchallenged" thing is pure fiction. My mom used to get stopped and questioned if she took a shortcut from the cafeteria back to her own nurse station through a different ward, and that was before the world got all paranoid.

  3. Anonymous Coward
    Anonymous Coward

    If I have the misfortune to find myself attached to an infusion pump I don't think I'm going to be worrying too much about some leet haxor changing the pumps settings and killing me. Why? Because there must be a million easier ways to kill me many of which leave a similarly small amount of evidence. Does this mean it's ok to leave a telnet port open, of course not, but we have to maintain some perspective here. Despite what the media portrays the world isn't filled with psycho killers waiting to pounce, you're chance of dying at the hands of a psycho are tiny compared to dying from, say, driving to work.

  4. notafish

    Kudos for an article that's (a) NOT fear-mongering (b) admits that reporters don't always have enough info to have an informed opinion.

    A pleasure to read.

  5. The March Hare

    Lowest Common Denominator

    Found myself wondering why a telnet port would be left open in the design of this thing, and then realised that it's been built down to a price - and security costs money.

    Ergo, the company that makes these has an eye on costs.

    Ergo, their other products will also have the same design ethos.

    And so will anyone else in the same market (if they want to compete on price that is).

    Unless/until someone important (hah! define that one!!) or maybe a lot of people get severely damaged/worse by this type of design flaw then adding cost (security) into a huge range of small cheap devices will just not happen.

    1. Anonymous Coward
      Anonymous Coward

      Re: Nice

      Not so much price - more culture. FDA in recent years has been banging on about passwords to configuration screens not only been left as default - but published in user documentation. Same (lack of) attack vector as the telnet port, but additional signs of complacency

  6. toughluck

    So an exploit can be delivered over WiFi. What about a harmful agent?

    Suppose a hacker gains access to the infusion pump. What can he do? Either increase the flow or stop it. Increasing the flow is impossible beyond a certain level which is probably not going to cause much but a certain discomfort. Stopping the pump completely will be quite obvious, so if a patient is told to walk around with the pump for an hour or two and the medicine is still not fully administered by then, the doctor is going to know what to do (I'm sure they deal with pump failures from time to time).

    And what danger is there, anyway? All the contents of the bag were going to end up in the patient one way or another. It's not like the pump is plugged into a pipework of all the drugs available in the hospital, so it's not like an exploit is going to put arsenic or cyanide in the mix.

    Until hackers figure out a way to deliver chemicals over WiFi, I think it's fair to say we're safe.

    The vulnerability is certainly alarming. Not because of the potential risks, but because of the carelessness.

    1. The Mole

      Re: So an exploit can be delivered over WiFi. What about a harmful agent?

      A lot of drugs need to be infused over a period of time otherwise they are dangerous - hence why they are being infused rather than injected in the first place. If you deliver over 30 minutes what should have been delivered over 6 hours then there is a very real chance of serious harm before it is noticed.

      That said I do agree that the real risk is relatively low - though the low risk of getting caught and impersonal nature of doing it remotely may make the theoretical risk higher than that of a person walkign round fiddling with the machines.

      That said I'm not sure why they would need wifi to begin with, they have a screen for a reason and I'd hope don't require regular software updates anyway given they don't actually do much.

    2. Anonymous Coward
      Anonymous Coward

      Re: So an exploit can be delivered over WiFi. What about a harmful agent?

      There's plenty of drugs which are safe when a prescribed quantity is injected at a prescribed rate, but become lethal if that same quantity is injected at a higher rate. Morphine pumps is one obvious example.

      1. Charles 9

        Re: So an exploit can be delivered over WiFi. What about a harmful agent?

        Then consider humble little potassium. We NEED small doses of it regularly because it helps regulate the heart, but one quick injection of KCl and your heart (and you) is not waking up (that's why it's usually the coup de grace of lethal injection).

  7. Anonymous Coward
    Anonymous Coward

    "Someone dressed as a doctor or a nurse could easily add extra chemicals/drugs to a drip". Simply not true in most cases of administering chemo, blood etc. patients know what they are getting, see the checks, know the staff etc etc. Some stranger fiddling with the equipment would get short shrift. I am speaking from experience as a patient getting infusion every 4 weeks.

  8. The Mole

    Network accessibility

    Gaining access to the wifi network may be challenging if it has been properly secured, but the fact is most hospitals have been retrofitted with ethernet cabling all over the place - certainly to doctors offices and nurses stations. These networks will be connected to the wifi network (I assume the whole sales pitch of needing wifi on pumps is to allow the nurses to monitor them remotely without having to actually go look at their patients?).

    The question isn't how secure is the wifi network, but how hard is it to plug a cable into a spare ethernet network port and start using the network?

    A well setup network will presumably use mac address checking and the like to prevent rouge devices connecting but I don't know how easy those are to be defeated.

    1. Charles 9

      Re: Network accessibility

      "A well setup network will presumably use mac address checking and the like to prevent rouge devices connecting but I don't know how easy those are to be defeated."

      And what's to stop a bad boy from pretending to be (or hiding itself in) a new device being sent in to replace an old one? Since it's coming in at the critical "first contact" phase, it's more likely to slip in unnoticed as it's thought to just be a new member of the team.

  9. DaDoc
    Black Helicopters

    Intensive Care

    The article is a tad one-sided when it comes to describing usage-scenarios for infusion pumps, although I admit the descriptions do apply aptly to the specific type of pump mentioned, namely a PCA-pump. Whilst the author points out that hospitals will generally avoid making ethernet ports available left, right and center - and that may be true - the trend on intensive care units is very much toward networking all devices. If you imagine a busy ICU with 15 beds, each equipped with a ventilator and something like 12 infusion devices (and, in some case, additional equipment, such as dialysis devices, ECMO etc.) you can immediately see the advantage of networking those devices: automated documentation. In addition, alarms (patient inadequately ventilated, norepinephrine running low, potassium pump to be changed in 5 minutes etc...) can be displayed in a central nursing bay (already we can see the patients vitals on monitors throughout the ICU), streamlining some of the work on ICU. Networked pumps can also be updated remotely - a godsend when you need to add new drugs and standards to the internal list of available medications.

    My personal experience is that the team in charge of implementing such changes on an ICU does not include an IT-security expert - and companies will happily tell you that there is no way a device can be controlled remotely. Less IT-savvy physicians (and that description will include many senior physicians, who did not grow up in an IT-environment) will be happy to believe such claims. Knowing that one pump on the market proves those claims wrong - and suspecting that many other pumps will too - should be worrying to anybody who uses networked pumps on an ICU - where pumps and drugs really are part of a life and death situation.

    Of course we don't live in a world full of people who would like to kill indiscriminately - but some of those who are mad will find it rather easier to do so remotely than in person. I do very much agree with your third conclusion - IT-security needs to be a part of the stringent certification procedure for medical devices.

    1. Anonymous Coward
      Anonymous Coward

      Re: Intensive Care

      Fair point - but networks in ICU tend to be isolated from the rest of the world. Not perfect, but some mitigation.

  10. Dan Paul

    You forget the "Killer Nurse" syndrome

    There have been plenty of cases of nurses that go off their wheels and kill patients. An overdose here, an injection of Succinylcholine there, an air bubble here. Lots of ways to off someone inside the hospital that are difficult to trace.

    Even if it werent hacked, an infusion pump that is adjustable and exposed to the wrong person is dangerous enough, let alone one that is hackable.

    1. Captain TickTock

      Re: You forget the "Killer Nurse" syndrome

      Air bubbles are not the huge risk that Columbo would have you believe, I was told when I complained about the huge air bubbles in my infusion line...

  11. martinusher Silver badge

    Networked Computers are common.....honest....

    Our local hospital has a computer in every patient room. It can be used for patient notes and stuff but its primary purpose is revealed by the bar code reader attached to it. Every time something gets used on the patient the patient's wrist band is scanned and the product is scanned.

    So you're right that cash strapped hospitals can't justify pulling cable and the like but if its for a billing system that's another story. My local hospital is in America so you expect this but given that the US health systems see the UK as a significant growth opportunity (aided and abetted by the government) I wouldn't be surprised to see it coming to a (ex) NHS hospital near you.

    But that still doesn't mean that people are going to plug things in and get them hacked. That's just scaremongering.

  12. Anonymous Coward
    Anonymous Coward

    Research?

    The original disclosure claims that once you have physical access to one pump you can extract the keys to the wireless network. You can then control any pump on the network without physical access. The author seems to miss that point. Still, it is valid to ask how likely it is someone would attack this system in real life ti someone's physical detriment. However, that is hard to quantify. Also there may be financial incentives (hurt competition or cause a problem so you can be hired to fix it) to consider.

    Original (as far as I know) disclosure : http://hextechsecurity.com/?p=123

  13. Daedalus
    FAIL

    Time is the enemy

    Thanks to the regulatory process, medical devices are typically years behind the state of the art, particularly since the manufacturers have plenty of incentive to wring as much lifetime out of the product as possible. Any change to any part of a device requires regulatory review, so forget about weekly patching. Most manufacturers will focus on a new device rather than upgrade an old one. In 5 to 10 years time we may have sophisticated online threats going against devices that are designed with older, obsolete threats in mind.

    In other words, even if the problem isn't real now, it will be very real in a few years.

  14. N000dles
    Black Helicopters

    And if you wanted to bring it all down...

    Operating on wireless at a relatively low power means connectivity could easily be swamped by someone with Amateur Radio experience. Not sure how long they could cause a disruption before the transmitter is triangulated but if you knew someone of importance was going under at a set time.......

    1. Anonymous Coward
      Anonymous Coward

      Re: And if you wanted to bring it all down...

      but how many hospital IT departments have the equipment/skills to triangulate?

  15. barrypii

    A. As a former medical equipment repair person I can tell you that this exploit is overrated.

    Should it be fixed, yes. Should security be taken seriously, yes.

    Up until 10 years ago there wasn't even connected infusion pumps, and those were dangerous because a nurse could very easily make a 10x medication error. She wants to put in 10 ML per hour and accidentally puts in either 1 or 100. Or she could press STOP instead of START because they were located right next to each other. Neither would give you a warning or an error message.

    Today's pumps have drug databases with pre-defined ranges set by pharmacy. Can they override the setting, yes but it is logged and and noted in the system.

    This tech is saving so many more lives every year, it was well worth it. It also reduces the malpractice insurance by large sums of money. They are getting a return on investment and a payoff date to upgrade to this tech by insurance savings only.

    Can someone hack it, and kill a patient; Theoretically. But they would have to find the exact unit that is on the patient and there could be hundreds if not thousands of these in any given hospital and they never stay in one place. These move multiple times per day. They would still need to gain physical access to the unit, and the medicine would have to be lethal anyway if overdosed. Then there will be some sort of record because these update via wifi with alarms. Could they hack it and delete all evidence? Sure, but that would cause physical evidence, with bags being too empty too quickly.

  16. James Boag

    When I awoke to find myself attached to a morphine pump, Honestly i really didn't give a sh*t Lol

    mmmmm morphine lol

  17. Jamie Jones Silver badge

    Huh?

    " If you're getting sick of being stuck in the infusion chair on (say) Level 5 of the Sydney Infusion Centre, or bored witless with the view from Level 9, you'll walk down the long corridor, get into the lift, go down to the ground floor, and sit on a little garden bench, happily out of reach of the pump's home WiFi access point.

    Nobody's going to make always-on connectivity a dependency of pump operation."

    Whilst I agree with the general sentiments of the article, and the comments, I don't understand the safety implied by the above paragraphs.

    How does no 'always on' requirement. keep it safe from access when it is 'on'?

    And isn't any potential abuse going to be by some psycho being a 'l33t h4x0r' with nmap, and not targeted at a specific individual?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like