Infusion pump is hackable … but rumours of death are exaggerated

Yes, medical devices have flaws, but they're harder to exploit than you're led to believe

Skull image

It's the kind of vulnerability that's tailor-made for infosec publicity: a brand of infusion pumps used to deliver drugs to patients in hospital has an open, unauthenticated Telnet port that allows an attacker access to the dosage database.

Yes, it's a serious vulnerability that presumably applies as much to the pump's WiFi port as it does to the Ethernet port – but in the media's excitement that you could use the flaw to kill patients, few people have looked at the real-life use-case for infusion pumps.

The connected patient

The entire computing industry is keen – very, very keen – to turn every hospital device into an Internet of Things (IoT) market segment, but it hasn't got there quite yet.

One reason is that the networks aren't quite up to it – so the tech sector wants to push software-defined networking (SDN) into healthcare. That would create a network that wouldn't collapse under the weight of too many devices, and too few available VLANs, and it would mean a device that can only reach the Cafe WLAN Level 3 could weave its way back to its home LAN.

Right now, I'm willing to dismiss the Ethernet port as an attack vector.

Let me take you inside and infusion centre. I know what an infusion centre is like, from personal experience (although not my own infusions) over a five-year period.

It's a place where people with cancer, immune disorders and other conditions needing chemotherapy or immune-suppressants get them pumped into a cannula, sometimes for hours, so the pumps get hung off a wheeled stand to let the patient visit the bathroom or walk around when they get bored.

The LifeCare PCA – Patient-Controlled Analgesia – pump is going to be similarly mobile. Unless the patient is in ICU or recovering from a surgery that leaves them immobile, they'll probably be encouraged to get moving to help their recovery.

Nobody assumes that any particular infusion pump will stay in one place to either (a) connect to an Ethernet port or (b) stay within range of a wireless LAN (the right wireless LAN, since if you check “available networks” inside a hospital you'll find many different networks serving different functions).

Both doctors and nurses would, in most cases, avoid being asked to plug in a blue Ethernet cable when they plug in the patient (or ask the patient to plug the pump in, whenever they're stationary and remember to).

Also: cables have to be cleaned, because they're infection vectors in a world of superbugs like Methicillin-resistant Staphylococcus aureus – MRSA. A nurse privately pointed out to me that in some infectious situations, the rule is “dip it in bleach or throw it away”.

Anyhow, public hospitals aren't going to refit their 1950s-brutalist-brick buildings to pull Ethernet where it's not needed. Really: ask any public hospital, anywhere in the world, to install Ethernet cables to places they don't have to be, out of their own budget, and see if they don't put you in a wicker basket and set fire to it.

But what about the WiFi?

At least some of what I've mentioned is as applicable to the WiFi interface as the Ethernet interface – in particular, the assumption that in most applications, the pump will be mobile.

If you're getting sick of being stuck in the infusion chair on (say) Level 5 of the Sydney Infusion Centre, or bored witless with the view from Level 9, you'll walk down the long corridor, get into the lift, go down to the ground floor, and sit on a little garden bench, happily out of reach of the pump's home WiFi access point.

Nobody's going to make always-on connectivity a dependency of pump operation.

And I'll return to my prior observation, about the hospitals I'm familiar with, running multiple WLANs for different functions. An unauthenticated attacker could change the pump's settings – but first, they'd have to get onto the authenticated network.

If a hospital is running (say) “Patient Equipment WLAN Level 9” without authentication, it's got bigger problems than this one PCA infusion pump.

So where does this leave us?

This isn't a killer vulnerability, but it's still closer to “dire warning” than “good example”.

First: the real-world attack scenario. It isn't when the pump's in use: it's when it's sitting in the equipment room waiting for a patient, or perhaps when it's been called down to Maintenance for software updates.

Both of those situations offer a genuine opportunity for someone with malicious intent to fool around with the machines, if they can get physical access to them.

Second: we journalists need to go beyond the pure-infosec story to consider the real-world attack vectors, rather than just repeating what hackers tell us (we're usually not competent to challenge the attack details, and anyhow this one got a CVE so it's real).

Third: people making medical devices do need to start treating security seriously, because one day a vulnerability might be catastrophic. Organisations like the FDA, which certify such devices, also need to include security in their certification.

Fourth and finally: if the IT industry keeps pimping IoT for hospitals, it's got to start including security vulnerabilities in the business case. Because a vulnerability that leads to a dead patient will be very expensive. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019