Category : CyberSecurity
The Hospira PCA3 Drug Infusion Pump suffers from a number of remotely exploitable vulnerabilities. The manufacturer has been notified of critical and serious design failures that result in an insecure design.
The pumps communicate with MedNet “safety software,” a Windows-based operating system designed by Hospira that gets installed on a hospital server to send drug library updates to the pumps. The updates are processed by a communication module built into each pump. The pumps operate in listening mode so that new drug libraries and updates to existing ones can be pushed out to them as needed. To achieve this, the pumps listen through four ports—port 23 (for telnet communication), port 80 (for normal http traffic), port 443 (for https traffic) and port 5000 (for UPnP). The pumps also can use their own WiFi connection for communication.
Hospira systems don’t use authentication for their internal drug libraries, which help set upper and lower boundaries for the dosages of various intravenous drugs that a pump can safely administer. As a result, anyone on the hospital’s network—including a patient in the hospital or a hacker accessing the pumps over the internet—can load a new drug library to the pumps that alters the limits, thereby potentially allowing the delivery of a deadly dosage.
Exploitation of the improper authorization vulnerability may allow unauthenticated users to access the LifeCare PCA Infusion pump with root privileges by default. Exploitation of the insufficient verification of data authenticity vulnerability may allow an attacker to remotely push unauthorized modifications to the LifeCare PCA Infusion pump impacting medication libraries and pump configuration. While drug libraries, software updates, and pump configurations can be modified, according to Hospira, it is not possible to remotely operate the LifeCare PCA Infusion pump. Operation of the LifeCare PCA Infusion pump requires a clinician to be present at the pump to manually program the pump with a specified dosage before medication can be administered.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.