Serious Security Flaws Found in Hospira LifeCare Drug Pumps

Wednesday, May 06, 2015

Eduard Kovacs

Af7244bb99debb4a1152fa49a993a05c

Researchers have identified several critical vulnerabilities in Hospira LifeCare patient-controlled analgesia (PCA) infusion systems, which can be exploited by a remote attacker to take complete control of affected devices.

According to the manufacturer’s website, the LifeCare PCA drug pump is designed to prevent medication errors that commonly arise in PCA. The device is advertised as including features that enhance safe and secure delivery.

Canada-based researcher Jeremy Richards (@dyngnosis) published a blog post on Tuesday detailing multiple security issues identified in Hospira LifeCare PCA3 drug infusion pumps.

“I would personally be very concerned if this devices was being attached to me. It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo,” the researcher said.

Richards noted that Hospira LifeCare PCA pumps are “life critical devices” deployed in hospitals on a separate “life critical network.” According to the expert, a malicious actor could connect to a device via its Ethernet port and easily recover the wireless encryption keys to the life critical network. The attacker can then use this information to connect wirelessly to the life critical network and gain full control of all the drug infusion pumps in the hospital.Hospira LifeCare PCA infusion system

Such an attack is possible due to several flaws. One of the vulnerabilities is that the Wi-Fi Protected Access (WPA) keys for a hospital’s wireless network are stored in plain text on the device and they can be accessed over FTP and Telnet.

“Since these pumps are designed to stay attached to patients local access needs to be considered. These devices are configured to exist on a medical device network. This also needs to be considered by hospitals selling their old equipment,” Richards noted.

Read the rest of this story on SecurityWeek.com.

6834
Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.