From. From pacemakers and insulin pumps to mammography machines, ultrasounds and monitors, a dizzying array of medical devices has been found to have alarming safety risks. The latest addition to this unknown lineup is a popular infusion pump and dock, the B Brown Infusomat Space Large Volume Pump and the B Brown Space Station, that a determined hacker could manipulate to give victims a double dose of medicine.
The infusion pump automatically transmits medicines and nutrients to patients’ bodies, usually through a bag of intravenous fluids. They are especially useful for administering small doses of medications without errors or otherwise fine doses, but this means that the stakes are higher when problems arise. For example, between 2005 and 2009, the FDA received approximately 56,000 reports of “adverse events” related to infusion pumps, including “numerous injuries and deaths,” and the agency subsequently issued a report in 2010. Removed safety of infusion pump. B. Brown infosomat spaces are extremely closed at the level of large volume pump software. It is considered impossible to send direct commands to devices. But researchers at security firm McAfee eventually found ways to overcome the obstacle.
“We pulled every thread and eventually we got the worst case scenario,” says Steve Powellini, head of McAfee’s Advanced Threat Research Group. “As an attacker, you shouldn’t go back and forth from the space station to the actual pump operating system, so breaking that security barrier and being able to communicate between the two – that’s a real problem. We have shown that we can double the flow rate.
The researchers found that an attacker could take control of the space station by taking advantage of the threat of joint communication with access to a healthcare facility network. From there they can take advantage of four other flaws in the sequence to send the drug double command. A full-blown attack is not easy to do in practice and requires a first step into the medical facility network.
“Successful exploitation of these vulnerabilities can allow a sophisticated attacker to compromise the security of space or compact plus communication devices,” B. Brown wrote in a security alert to clients. Allows you to view, upload arbitrary files, and execute remote codes. “The company further acknowledged that a hacker could alter the configuration of the attached infusion pump, as well as the infusion rate.
The company said in a notification that using the latest version of its software, which will be released in October, is the best way to keep devices safe. It also recommends that users implement other network security reductions, such as distribution and multi-factor authentication. He says B. Brown has removed the weak networking feature in the new version of his space stations.
Once hackers gain control of the space station by exploiting the first network bug, the hack ends with a combination of four vulnerabilities related to the lack of access control between the space station and the pump. Researchers have found specific orders and conditions that do not adequately verify the integrity of the pump data or verify commands sent from the space station. They also discovered that the lack of upload restrictions allowed them to stain device backups with harmful files, and then restore from backups to get malware at the pump. And they saw that the devices send some data back and forth in plain text without any encryption, which could lead to interference or manipulation.