Hackers Could Cause Fatal Overdoses By Hijacking Hospital Drug Pumps

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Not that anyone needed another reason to fear hospitals, but here’s a good one: Security researcher Billy Rios has discovered vulnerabilities in popular hospital drug pumps that allow hackers to remotely change drug dosages.

Rios found a way to remotely change drug pump firmware that would give hackers control over the devices by accessing the hospital’s communications module to send a fake firmware update to a pump. Hackers could exceed the maximum dosage allowance without setting off the pump’s alert function, making it easy to fatally jack up drug doses without raising suspicion.

At least five models from drug pump manufacturer Hospira are in danger of getting hijacked, according to Wired. This includes its Plum A+ model, which has been installed at least 325,000 times in hospitals around the world. Rios told Wired that the same process used by Hospira to deliver real firmware updates leaves the company’s pumps open to attack.

An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns.

This isn’t the first time Rios has discovered security gaps in hospital devices. The former Marine platoon commander’s research into faulty pump security helped jumpstart a US probeinto Hospira’s equipment in 2014, including its PCA 3 pump. The results weren’t exactly heartening. “Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3,” Rios wrote in a blog post today.

Last month, the US Food and Drug Administration issued a warning about two of Hospira’s pumps based on Rios’ research. The warning didn’t include the Plum A+ pump, and Hospira hasn’t acknowledged a problem with that model. Rios doesn’t buy for a second that Hospira didn’t know how widespread the problem was. “I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines,” he wrote.

The closest thing to this kind of medical cyberattack is still that cheesy plotline from Homelandwhere the vice president’s pacemaker was remotely hacked. But Rios’ research proves that murder-by-medical-device was actually one of the more realistic Homeland twists.

Source
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top