Researchers have identified several critical vulnerabilities in Hospira LifeCare patient-controlled analgesia (PCA) infusion systems, which can be exploited by a remote attacker to take complete control of affected devices.
According to the manufacturer’s website, the LifeCare PCA drug pump is designed to prevent medication errors that commonly arise in PCA. The device is advertised as including features that enhance safe and secure delivery.
Canada-based researcher Jeremy Richards (@dyngnosis) published a blog post on Tuesday detailing multiple security issues identified in Hospira LifeCare PCA3 drug infusion pumps.
“I would personally be very concerned if this devices was being attached to me. It is not only susceptible to attack, it is so poorly programmed it can be rendered a useless brick with a single typo,” the researcher said.
Richards noted that Hospira LifeCare PCA pumps are “life critical devices” deployed in hospitals on a separate “life critical network.” According to the expert, a malicious actor could connect to a device via its Ethernet port and easily recover the wireless encryption keys to the life critical network. The attacker can then use this information to connect wirelessly to the life critical network and gain full control of all the drug infusion pumps in the hospital.
Such an attack is possible due to several flaws. One of the vulnerabilities is that the Wi-Fi Protected Access (WPA) keys for a hospital’s wireless network are stored in plain text on the device and they can be accessed over FTP and Telnet.
“Since these pumps are designed to stay attached to patients local access needs to be considered. These devices are configured to exist on a medical device network. This also needs to be considered by hospitals selling their old equipment,” Richards noted.
Another problem is the lack of authentication for Telnet sessions (CVE-2015-3459), which allows remote attackers to gain root privileges via TCP port 23.
Richards also identified an issue related to hardcoded local account credentials stored on the device. The expert said he cracked the credentials “very quickly” using the HashCat tool.
The researcher also discovered that the “linkparams” and “xmmucgi” CGIs don’t require authentication. This allows an attacker to perform drug library updates, firmware updates, and execute arbitrary commands.
Finally, the expert revealed that the web server is running a vulnerable version of Appweb.
“Remote administration of the device can be accomplished over the network without credentials. Even if credentials were implemented on the Telnet port there are still web services (CGIs) that allow a remote attacker to change the drug library, update software and run commands,” Richards wrote in his blog post. “Even if that web service was secure there are additional services like FTP that are open with hard coded accounts.”
Security researcher Billy Rios has also analyzed Hospira LifeCare PCA pumps. He noted on Twitter that he reported his findings via ICS-CERT a year ago, but says that “the vendor response has been horrible.”
ICS-CERT published an advisory on Tuesday on Rios’ findings. The advisory mentions the improper authorization issue (CVE-2015-3459) and insufficient verification of data authenticity (CVE-2014-5406), which can be exploited to upload drug libraries, configuration changes and software updates from unauthorized sources.
“Exploitation of the insufficient verification of data authenticity vulnerability may allow an attacker to remotely push unauthorized modifications to the LifeCare PCA Infusion pump impacting medication libraries and pump configuration,” ICS-CERT noted. “While drug libraries, software updates, and pump configurations can be modified, according to Hospira, it is not possible to remotely operate the LifeCare PCA Infusion pump. Operation of the LifeCare PCA Infusion pump requires a clinician to be present at the pump to manually program the pump with a specified dosage before medication can be administered.”
ICS-CERT said Hospira has been aware of these issues since May 2014. The company has developed version 7.0 to address the vulnerabilities reported by Rios, but the update is not available yet since it is currently being reviewed by the U.S. Food and Drug Administration (FDA). It’s uncertain when version 7.0 of the LifeCare PCA infusion system will become available, but users should apply the update once it’s released.
In late March, ICS-CERT published an advisory detailing several vulnerabilities in Hospira’s MedNet server software. The flaws, discovered and reported by Rios, were fixed by Hospira with the release of a new version of the software.
“Hospira infusion pumps with safety software are critical tools in helping hospitals deliver needed medication to patients safely. Hospira’s first priority is patient care. This includes ensuring our medication management devices, and their related software meet patient and hospital needs, and maintaining compliance with U.S. Food and Drug Administration (FDA) product requirements,” Hospira said in a statement.
“There are no instances of Hospira devices being breached in a clinical setting and Hospira has taken a proactive approach to address potential cybersecurity vulnerabilities. Hospira has communicated with existing customers on how to address the vulnerabilities stated in the advisory and has put further protections in place in our next-generation PCA device, which was submitted to the U.S. Food and Drug Administration for clearance in December,” the company’s representatives told SecurityWeek.
“Hospira has been part of ongoing discussions with the FDA and Department of Homeland Security regarding recent developments around device cybersecurity. It’s also worth noting that exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls. These network security measures serve as the first and strongest line of defense against tampering and the pumps and software provide an additional layer of security,” Hospira added.
Medical device security has made numerous headlines over the past period. In October 2014, the FDA published a guide containing recommendations for manufacturers for managing cybersecurity risks and protecting patient information.
*Updated with additional impact information from ICS-CERT and statement from Hospira
