Seek and Exploit Security Vulnerabilities in an Infusion Pump

Infusion pumps and other medical devices are not your typical everyday, off-the-shelf embedded system. Best case scenario, you will rarely, if ever, come across one in your life. So for wide-spread exploitation, chances are that they simply seem too exotic for anyone to bother exploring their weaknesses. Yet their impact on a person’s well-being makes potential security holes tremendously more severe in case someone decides to bother one day after all.

[Scott Gayou] is one of those someones, and he didn’t shy away from spending hundreds of hours of his free time inspecting the Smiths Medical Medfusion 4000 infusion pump for any possible security vulnerabilities. Looking at different angles for his threat model, he started with the physical handling of the device’s user interface. This allowed him to enable the external communication protocols settings, which in turn opened to the device’s FTP and Telnet ports. Not to give too much away, but he manages to gain access to both the file system content and — as a result of that — to the system’s login credentials. This alone can be clearly considered a success, but for [Scott], it merely opened a door that eventually resulted in desoldering the memory chips to reverse engineer the bootloader and firmware, and ultimately executing his own code on the device.

Understanding the implications of his discoveries, [Scott] waited long enough to publish his research so the manufacturer could address and handle these security issues. So kudos to him for fighting the good fight. And just in case the thought of someone gaining control over a machine that is crucial to your vitality doesn’t scare you enough yet, go ahead and imagine that device was actually implanted in your body.

16 thoughts on “Seek and Exploit Security Vulnerabilities in an Infusion Pump

  1. So what’s the ROI here for your would be hackers? Install Monero miners on them all? Backdoor trojans and hold the patients life ransom?
    I am just not seeing anything of value here. I suppose if you were injured and had an opioid drug addiction problem, you could turn up your morphine dose…

    Don’t get me wrong, squashing vulnerabilities especially in medical equipment is good but the devices aren’t easily and anonymously attainable, the hack is labor and skill intensive, it requires physical access, this attack vector probably works on other models and makers but the labor is likely not even applicable within the same family of different years.

    The fear factor is less than impressive. Not to mention that in most scenarios once you have physical access the battle is already over. If I want to murder a patient using this device, just turn it to max.. Done.

    1. It looked like a hacker with access to the hospital’s Ethernet could at the very least make the device continuously reboot, letting you knock the pump offline remotely. That might work if the black hats’ goal was terrorism rather than money.

      1. As a first line of defense, it should be obvious that devices like this should not be accessible outside of a firewalled private intranet (and private SSID) for hospital Internet devices. For that matter, I feel like most IoT devices should be set up that way as well – realistically, it’s difficult to have a reasonable price/performance balance for many, cheap devices that must have a TCP/IP stack for whatever reason (pretty sure every small cheap embedded wireless device I’ve seen has been susceptible to DoS by virtue of, well, simply not enough CPU cycles to deal with the risk). So best to firewall them off anyway with a beefier device.

        FWIW I’m pretty sure most infusion pumps in hospitals I’ve been to aren’t, uh, connected to a network.

        1. All of you are illuminating how little you know about how hospitals actually work. This is way beyond just IoT, or ethernet connected devices.

          There are people in hospitals whose entire job it is to maintain all of the different equipment in the hospital. Medical equipment needs service and repair like almost anything else. There are people who have unhindered access to whatever equipment is in the hospital, and can at anytime provide a plausible excuse for why they need a particular piece of equipment, or why they would have opened the equipment up and seem to be “fixing it.” Unless it is literally the only piece of equipment of that type in the hospital and is immediately needed, staffers such as nurses and doctors, aren’t going to bat an eye. They’ve got sick people to worry about, and trust that the equipment is working. They’re going to let that piece of equipment be taken for “service,” and find the next machine and plug it in.

          1. Speaking as one of the people that services such equipment, Mike is dead on. People literally just walk out of the hospital with these things all the time. All you would really need to do is visit someone in the hospital and pick up the spare one in their room.

            Also most pumps are wirelessly connected because of the need to update the drug library. This controls how much dose can be given at what rate etc.

            The device calibration is also stored in there to tell the pump how fast to drive the motor to deliver the correct rate.

            A lot of drugs that are infused on a daily basis could be extremely harmful if not lethal if given too much too fast.

          2. Maybe the hospitals around here are unique but I can assure you that if you try to leave the building with a fairly large piece of medical equipment, security will come and see what is going on. Cameras are everywhere. There are armed guards at desks by every exit. Police have a station near ER. I guess it is small enough you might be able to put it in a bag, but that might look suspicious too.

            I am not even concerned with the how, but the why. You already have physical access, just go into settings and up the dose. Usage manuals are much easier to come by than stealing the machine and returning it and reconnecting it.

          3. @ TheInternet – Dont’ be so sure, one facility I was working at had two brand new ventilators walk right out the door because the individual who stole them was able to talk his way in as an outside vendor doing service to the equipment just like John the Biomed pointed out. We are talking about $50k+ each, and while they did eventually recover them, it was only when an actual manufacturer’s service tech had to replace a board on one and discovered that the serial# outside didn’t’ match the one embedded in the main board. They figured out who had stole them, but by then the statue of limitations had run out.

            John the Biomed and Mike are correct, the issue isn’t’ with the pumps themselves but with being able to gain access to the hospital network, either to tamper with the drug libraries or to hold hostage the network and data in the hospital servers. Another facility nearby made the news when their system got encrypted and they ended up having to pay the ransom to get access to it again. While it may not have been due to accessing the wireless network, the issue is being able to access the system at all.

          4. @theinternet you’re missing the point. This isn’t just about infusion pumps, this isn’t about stealing the equipment. The point is there are people at a hospital who can access every piece of equipment, who can deem a piece of equipment “broken” or “expired.” Who *could* hack the piece of equipment IN THE HOSPITAL, without drawing any undue attention to themselves, because it looks, plausibly like they’re doing their job.

            It’s not about just going into the settings and up the dose. With enough time, and effort almost any of this equipment could be made to look like it is working – but it’s not, or it’s doing harm. There are people who most certainly have enough time, and access to do it without getting themselves caught.

  2. I don’t see the point. For malice, the pump could just be tampered with by inserting an additional controller that simply advances the pump indipendently or disturbs its operation. With full hardware access, no device is safe.

    1. There ARE people in hospitals, who’s job it is to maintain the equipment. Who have full access to all of the equipment in the hospital. Who would have a plausible reason for opening any piece of equipment for “service.”

      Also, any device actually in a hospital would be exceedingly difficult to tamper in that way. Engineering teams spend hundreds of hours doing FMEA’s, and then fixing the vulnerabilities however minor they seem.

      1. Every single machine I have seen has a usb port, and I would put money on it being for updates, and I have seen software update menu in one I was playing with to shut it up.
        So should be fast and easy to just go in through the front door.

  3. Ha got one better.
    A lot of the Hospitals have new lighting systems.
    I put one in a new Hospital in Ontario, I must say they are so so easy to hack.
    If you can program a Arduino you can program and take over the hole building.
    The thing that got me the most was the Operating Lights were controlled threw the same system.
    Can you imagine having surgery and all of a sudden all the lights in the hole Hospital goes ballistic.

    I told them about what I found to the highest levels but they just said it will never happen. There are security systems in place.
    Then I went threw what was needed to control the system. And they said they will look into it.
    That was 3 years ago. I was at the Hospital before christmas for testing. And had brought what I needed to hack the light in the room I was in. ( It all fit in my one pocket with room for my keys.) It took me less then 20 sec to get in.

    YEA they fixed it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.