A hell-bent hacker is what is required to break into medical equipment and wreak havoc. But you never know there might be one around the corner.
Security vulnerabilities have been observed in many pacemakers, insulin pumps to mammography machines, ultrasounds, and monitors, a dizzying array of medical devices. The latest to add to this long line of equipment is the B. Braun Infusomat Space Large Volume Pump and B. Braun Space Station. The problem identified in the pump is that it can be hacked into administering a double dose of medication to victims.
A bag of intravenous fluids is used attached to the pump, out of which doses are administered to the patients as per the prescription. These pumps are used to administer sensitive doses, where the syndrome of error is close to zero. But imagine if the pump makes an error. That is what we are talking about here; human lives are at potential risk as a result of hacking.
“We pulled on every thread we could, and ultimately we found the worst-case scenario,” says Steve Povolny, head of McAfee’s Advanced Threat Research group. “As an attacker, you should not be able to move back and forth from the SpaceStation to the actual pump operating system, so breaking that security boundary and getting access to be able to interact between those two—it’s a real problem. We showed that we could double the rate of flow.”
An all-out attack won’t be that simple. It would require access to the medical facility first; only after that can the hacker administer additional doses.
“Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of the Space or compact plus communication devices,” B. Braun wrote in a security alert to customers, “allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.” The company further acknowledged that a hacker could change the connected infusion pump’s configuration and the rate of infusions with it.
The companies also stated that if the latest version is used, it can easily deter such attempts. B. Braun said in a statement to WIRED that the loopholes are “tied to a small number of devices utilizing older versions of B. Braun software” and that the company has not seen evidence that the vulnerabilities have been exploited.
“We strongly disagree with McAfee’s characterization in its post that this is a ‘realistic scenario’ in which patient safety is at risk,” the company added in its statement.
Broader damage can be rendered with a lot less effort. “Attackers would only need the first vulnerability in the chain”, Povolny says, “to take over a SpaceStation and seed ransomware or other malware from it to devices across a hospital’s network. Hospitals have faced relentless ransomware attacks in recent years; they’re an attractive target given the potential human harm that can result from disruptions in service.”
“We want to make sure that the institutions and facilities that actually deploy these devices worldwide realize that this is a real risk,” Povolny says. “Ransomware may be more likely right now, but we cannot ignore the fact that this exists. All it takes is literally one time—one political figure, one assassination attempt, and we’ll be thinking that we could have done the work to prevent this.”