Hackers Could Increase Medication Doses Through Infusion Pump Flaws

A dizzying range of medical devices, including pacemakers, insulin pumps, mammography machines and ultrasounds, have been discovered to be vulnerable to security breaches. A popular infusion pump, the B. Braun Infusomat Space Large Vol Pump and B. Braun SpaceStation is now at risk. Hackers could use it to give victims a double dose.
Infusion pumps are used to deliver medications and nutrients directly into the body of patients, usually from intravenous fluids. Although they are useful in administering small doses or other nuanced amounts of medication with no errors, the risks associated with them are very high. The FDA received approximately 56,000 reports about adverse events related infusion pumps between 2005 and 2009. These included many injuries and deaths. In 2010, the FDA took steps to improve infusion pump safety. Products like the B. Braun Infusomat Large Volume Pump are very tightly locked down at the software level. It is supposed to be impossible for the devices to receive commands directly. McAfee security researchers eventually found a way to bypass this restriction.

Steve Povolny is the head of McAfee’s Advanced Threat Research Group. He says that we tried every trick and finally found the worst case scenario. An attacker should not be allowed to move between the SpaceStation and the actual pump operating systems. This is a problem because it breaks the security boundary and allows you to access the two. We demonstrated that we were able to double the flow rate.

Researchers discovered that an attacker could gain access to the network of a health facility and take control over a SpaceStation using a common connectivity vulnerability. They could then exploit four additional flaws to send the medication-doubling order. It is difficult to execute the full attack in practice.

These vulnerabilities can be exploited by a skilled attacker to compromise the security and security of Space or compactplus communication devices. B. Braun sent a security alert to customers. This security alert allowed an attacker to increase privileges, view sensitive data, upload arbitrary files and execute remote code. A hacker could also alter the configuration of the connected infusion pump and the rate at which it is infused.

In a notification, the company stated that the best way to protect devices is to use the October release of its software. The company also suggested that customers use other network security mitigations such as segmentation or multifactor authentication. However, McAfee researchers point out that many of the bugs in existing products have not been fixed. According to B Braun, the vulnerability was simply removed from the SpaceStations version.

Hackers gain control over the SpaceStation through exploiting the first network vulnerability. The hack involves four vulnerabilities that all refer to the lack of access controls between the SpaceStation (and a pump) Researchers discovered specific conditions and commands that the pumps didn't properly verify data integrity or authenticate commands sent to them from SpaceStation. The lack of upload restrictions made it possible to corrupt a device backup with malicious files, then restore from that backup to install malware on a pump. They also discovered that some devices sent data back and forth in plaintext, without encryption, which makes it vulnerable to manipulation or interception.