Darwin's Theories Blog

New Theories for a New Time

Yet who would have thought the old pump to have had so many bugs in him?

2015-05-07
Hospital infusion pump with *Multiple Remote Vulnerabilities??
According to a 2015-05-07 article in SANS @RISK: The Consensus Security Vulnerability Alert, Vol. 15, Number 18 (which you can get for free by signing up at https://www.sans.org/account):

"The Hospira LifeCare PCA3 Drug Infusion Pump has been found 
to contain multiple remotely exploitable security vulnerabilities. 
Vulnerabilities such as the ability for an attacker to get an 
unauthenticated remote root shell, hardcoded local accounts with 
administrative privileges, storage of wireless keys in clear text, and 
the use of additional software packages that have had security patches 
released since the device has shipped are some of the vulnerabilities 
found within the device.  The U.S. Dept. of Homeland Security has issued 
an advisory, indicating that the vendor is currently working to patch 
these vulnerabilities." For more details, see http://hextechsecurity.com/?p=123
It seems that everyone - the F.D.A, the manufacturers, and everyone who tested this thing - has failed the most vulnerable person here - the hospital patient whose drugs are administered by this exploitable pump. It's only been about TEN YEARS since an episode of TV show Law&Order showed a vengeful nerd exploiting just such a vulnerability in just such a pump to kill people. Nothing has changed.