Monday, June 8th, 2015
In May of 2014, I reported to the Department of Homeland Security (and eventually the FDA) a series of vulnerabilities affecting the PCA 3 Lifecare infusion pump made by Hospira. Over 400 days later, we have yet to see a single fix for the issues affecting the PCA 3. On April 28th of this year, a researcher named Jeremy Richards Hextech Security publically disclosed many of the same vulnerabilities I reported in May of 2014. The public disclosure caused a chain of events including the publishing of cyber security safety advisory from the FDA. I believe the FDA cyber security safety advisory is the first of its kind. The FDA safety advisory only mentions the PCA3 and PCA5 infusion pumps. There has been much debate over the true impact of these issues and whether these vulnerabilities can actually be used to cause harm to a patient. I’ll be contributing data to the “impact” debate at SummerCon in July, but for now, I’d like to draw attention to a different issue. When I reported these issues over a year ago, I realized that many of the issues were related to design and insecure deployment of the PCA 3. Additionally, I noticed references to additional Hospira products within the PCA 3 firmware I examined.
In May of 2014, I recommended Hospira conduct an analysis to determine whether other infusion pumps within their product lines were affected. Five months after my request for a variant analysis, I received notification that Hospira was “not interested in verifying that other pumps are vulnerable”.
Given the vendor refuses to conduct an analysis of other pumps that are affected by publically known security issues, I decided to independently purchase additional pumps and perform this analysis for them.
The analysis I conducted was not sponsored or funded by any external agency, it was just me trying to understand the scope of the issues at hand. What I found was very interesting, many of Hospira’s infusion pumps utilize IDENTICAL SOFTWARE on their infusion pumps communications module, making them vulnerable to the exact same security issues associated with the PCA 3. Here is a list of Hospira infusion pumps that I have verified to be affected by the issues in the DHS and FDA advisory. These are the same issues publically disclosed by Jeremy Richards in April of 2015.
- PCA 3 Lifecare (mentioned in the FDA advisory)
- PCA 5 Lifecare (mentioned in the FDA advisory)
- Plum A+ Infusion Pumps
- PCA Lifecare
- Symbiq (no longer sold by Hospira, but affected)
Additionally, I suspect (but haven’t verified) that these other pumps are affected by the same issues:
- Plum A+3
- Plum 360
- Sapphire Plus
These vulnerabilities include:
- The ability to forge drug library updates to the infusion pump
- Unauthenticated telnet shell to root to the communications module
- Identical hardcoded credentials (service credentials) across different device lines
- Identical private keys across different device lines
- Identical encryption certificates across different device lines
- A slew of outdated software (>100 different vulnerabilities)
The lack of transparency from Hospira is certainly disappointing. While we are certainly capable of conducting variant analysis, researchers conducting variant analysis across a company’s product lines is not the most efficient approach. Given there is a public blog post, Wired article, DHS advisory, and FDA safety alert discussing the issues affecting the PCA 3, combined with the fact that the software is IDENTICAL on many Hospira communication modules, I find it impossible to believe that Hospira was unaware that the PCA3 issues also affected other pumps in their product lines.
I participate in discussions on how to improve the security of medical devices. For the most part, we all agree that the device vendor is the best position to determine the scope and the depth of a particular security issue. They are also a key part of determining whether a particular issue can be used to cause patient harm. If we can’t trust medical device manufactures to be transparent about publically known security issues and vendors like Hospira continue to harbor the, “we’d rather not know” attitude towards security issues, we’ll have to find an alternative to medical device vulnerability analysis. I hope Hospira is the exception here…
— Billy Rios