Hackers Can Increase Treatment Doses Through Infusion Pump Flaws
From pacemakers and insulin pumps on mammography machines, ultrasounds, and monitor, a dizziness order of medical devices was found to contain concerned security vulnerabilities. The latest additions to the poor alignment are a popular infusion pump and port, the B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation, which a determined hacker can manipulate to provide the double dose of medication to the victims.
Infusion pumps are used to automatically deliver medications and nutrition to patients ’bodies, usually from a bag containing intravenous fluid. This is especially useful for administering minimal or otherwise nuanced doses of medication without errors, but it means the stakes are high if problems arise. For example, between 2005 and 2009, the FDA received nearly 56,000 reports of “adverse events” related to infusion pumps “including multiple injuries and deaths,” and subsequently the agency damaged on infusion pump safety in 2010. As a result, products such as the B. Braun Infusomat Space Large Volume Pump are more software-locked; it is impossible to send commands directly to devices. But researchers from security firm McAfee Enterprise have finally found ways to get around this barrier.
“We took every thread we could and we finally found the most serious case,” said Steve Povolny, head of McAfee’s Advanced Threat Research group. “As an attacker, you can’t switch from SpaceStation to a real bomb operating system, so break the security boundary and get access to be able to communicate between the two – it’s a real problem. We’ve shown that we can double the rate of flow. “
The researchers found that an attacker with access to the health care network could control a SpaceStation by taking advantage of a common connectivity vulnerability. From there they can take advantage of four more mistakes in a row to send the order double the medicine. The full attack is not simple to maintain in practice and requires that network base in a medical facility.
“Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of Space or compactplus communication devices,” B. Braun wrote in alert alert to customers, ”which allows an attacker to extend privileges, view sensitive information, upload random files, and perform remote code execution.
The company said in the announcement that using the latest versions of its software released in October is the best way to protect devices. It also recommends that customers implement other network security mitigation such as isolation and multifactor authentication. McAfee researchers note, however, that most of the bugs have never been patched in existing products. B Braun, they say, just took over the quick networking part of the new version of SpaceStations.
Once hackers took control of the SpaceStation by taking advantage of the network’s first bug, the hacking was played out by combining four vulnerabilities that were all related to the lack of access controls between the SpaceStation and a bomb. The researchers found specific commands and conditions under which the bombs did not matter whether the data integrity was correct or verified the commands sent from the SpaceStation. They also discovered that the lack of upload restrictions allowed them to contaminate a device backup with a malicious file, and then restore it from the backup to get malware in a bomb. And they noticed that the devices sent data repeatedly in plaintext without encryption, exposing it to interception or manipulation.