8.2 C
New York
Friday, March 29, 2024

Hackers Could Increase Medication Doses Through Infusion Pump Flaws

From pacemakers and insulin pumps to mammography machines, ultrasounds, and monitors, a dizzying array of medical devices have been found to contain worrying security vulnerabilities. The latest addition to that ignoble lineup is a popular infusion pump and dock, the B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation, that a determined hacker could manipulate to administer a double dose of medication to victims.

Infusion pumps automate delivery of medications and nutrients into patients' bodies, typically from a bag of intravenous fluids. They are particularly useful for administering very small or otherwise nuanced doses of medication without errors, but that means the stakes are high when problems do arise. Between 2005 and 2009, for example, the FDA received roughly 56,000 reports of “adverse events” related to infusion pumps “including numerous injuries and deaths,” and the agency subsequently cracked down on infusion pump safety in 2010. As a result, products like the B. Braun Infusomat Space Large Volume Pump are extremely locked down at the software level; it's supposed to be impossible to send the devices commands directly. But researchers from the security firm McAfee Enterprise ultimately found ways to get around this barrier.

“We pulled on every thread we could and ultimately we found the worst-case scenario,” says Steve Povolny, head of McAfee's Advanced Threat Research group. “As an attacker, you should not be able to move back and forth from the SpaceStation to the actual pump operating system, so breaking that security boundary and getting access to be able to interact between those two—it's a real problem. We showed that we could double the rate of flow.”

The researchers found that an attacker with access to a health care facility's network could take control of a SpaceStation by exploiting a common connectivity vulnerability. From there they could exploit four other flaws in sequence to send the medication-doubling command. The full attack isn't simple to carry out in practice and requires that first foothold in a medical facility's network.

“Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of the Space or compactplus communication devices,” B. Braun wrote in a security alert to customers, “allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution." The company further acknowledged that a hacker could change the connected infusion pump's configuration, and with it the rate of infusions. 

The company said in the notification that using the latest versions of its software released in October is the best way to keep devices secure. It also recommends that customers implement other network security mitigations like segmentation and multifactor authentication. 

B. Braun added in a statement to WIRED that the vulnerabilities are “tied to a small number of devices utilizing older versions of B. Braun software” and that the company has not seen evidence that the vulnerabilities have been exploited. 

“We strongly disagree with McAfee’s characterization in its post that this is a ‘realistic scenario’ in which patient safety is at risk,” the company added in its statement.

The McAfee researchers note, though, that most of the bugs haven't actually been patched in existing products. B. Braun, they say, has simply removed the vulnerable networking feature in the new version of its SpaceStations.

Once hackers gain control of the SpaceStation by exploiting the first network bug, the hack plays out by combining four vulnerabilities that all relate to lack of access controls between the SpaceStation and a pump. The researchers found specific commands and conditions in which the pumps don't adequately verify the integrity of data or authenticate commands sent from the SpaceStation. They also discovered that the lack of upload restrictions allowed them to taint a device backup with a malicious file, and then restore from the backup to get malware onto a pump. And they noticed that the devices send some data back and forth in plaintext without encryption, exposing it to interception or manipulation.

The unrestricted upload bug was simultaneously uncovered by German government researchers at the end of last year. In a statement, the FDA said that it had not been informed of the vulnerabilities. “FDA will reach out to the researchers, examine the vulnerability information upon its release, and will coordinate with the medical device manufacturer for a review of the impact assessments so as to determine if potential patient safety concerns exist that may have regulatory implications,” the agency said in a statement.

All four issues can be combined to create an attack scenario that the researchers say is realistic and would be feasible for an attacker to carry out. The most difficult and time-consuming part of the process, they say, was reverse engineering the SpaceStation and pump to understand how they work and find the vulnerabilities. Little documentation or past research exists about the devices, so malicious hackers would need to be skilled and well-resourced reverse engineers to develop such an attack. As a result, the McAfee researchers are withholding some details of their findings as a precaution.

But broader damage can be done with a lot less effort. Attackers would only need the first vulnerability in the chain, Povolny says, to take over a SpaceStation and seed ransomware or other malware from it to devices across a hospital's network. Hospitals have faced relentless ransomware attacks in recent years; they're an attractive target given the potential human harm that can result from disruptions in service.

“We want to make sure that the institutions and facilities that actually deploy these devices worldwide realize that this is a real risk,” Povolny says. “Ransomware may be more likely right now, but we cannot ignore the fact that this exists. All it takes is literally one time—one political figure, one assassination attempt and we'll be thinking that we could have done the work to prevent this.”

Given the obvious potential impacts on patients' health and safety, the quest to more fully secure medical devices is urgent regardless of current attack trends.

Updated August 24, 2021 at 12pm ET to include a statement from B. Braun.

Related Articles

Latest Articles