Security researcher Jeremy Richards has called the Hospira Lifecare PCA 3 drug-pump "the least secure IP enabled device" he's examined.
The device attracted a NIST/DHS warning that classed the risk from the Lifecare product a 10/10.
Though the Lifecare product makes some particularly egregious security blunders, many of its mistakes are typical of medical devices.
What's worse than buggy, insecure software is buggy, insecure software that's illegal to research. Between the Computer Fraud and Abuse Act's ban on "exceeding authorization" on a computer (the law under which Aaron Swartz was charged) and the Digital Millennium Copyright Act's ban on publishing information that would help subvert an "effective means of access control," researchers who uncover these critical flaws face real jeopardy just for telling us information that we need to know in order to make good choices in matters of life and death.
Governments are terminally compromised when it comes to this stuff. On the one hand, they don't want voters dropping dead in the streets as hackers pwn their implanted defibrillators. On the other hand, they rely on weak computer security (ever going so far as to sabotage our systems and devices by deliberately introducing exploitable bugs in them) as a means of attacking "bad guys," who use the same computers as the rest of us. They also actively encourage the trade in offensive tools that weaponize bugs, even turning a blind eye to the sale of these tools to despotic regimes who use them to hack their adversaries in the USA (and elsewhere).
You can't have it both ways. Either we have real security, in which researchers aggressively root out flaws in our systems and get them patched; or we make life easier for the Tom Clancy LARPers in the security services, who do everything they can to turn all our systems into reservoirs of long-lived digital pathogens that they can exploit, threatening researchers who report bugs, and giving them big, military-industrial-complex-style paydays when they sell those bugs to digital arms dealers.
Someone you love already has an implanted medical device -- a pacemaker that can cook their hearts in seconds if it's badly secured, a cochlear implant that could serve as the world's most invasive listening device, a lethally compromised insulin pump. You probably spend part of every day in a car, building, or other enclosure whose informatics could kill, maim, or compromise you if it was compromised. When spooks, cops and politicians decide that catching bad guys is more important than keeping you secure against crooks, griefers, identity thieves, spies, dirty cops and other adversaries, they show themselves to be unfit for office. As Aaron Swartz said, "It's not OK not to understand the Internet."
What he found was shocking. Among other things, Richards noted that the device was listening on Telnet port 23. Connecting to the device, he was brought immediately to a root shell account that gave him total, administrator level access to the pump.
“The only thing I needed to get in was an interest in the pump,” he said.
Richards found other examples of loose security on the PCA 3: a FTP server that could be accessed without authentication and an embedded web server that runs Common Gateway Interface (CGI). That could allow an attacker to tamper with the pump’s operation using fairly simple commands.
The PCA pump also stored wireless keys used to connect to the local wireless network in plain text on the device. That means anyone with physical access to the Pump could gain access to the local medical device network and other devices on it. Furthermore, if pumps are not properly wiped prior to being sold, those keys may be transmitted to unknown buyers on the second-hand market, Richards warned.
Like other medical devices that independent security researchers have looked at, Richards said the Hospira LifeCare pump did not validate the authenticity of firmware updates prior to installing them – a common problem in the medical device sector.
Researcher: Drug Pump the ‘Least Secure IP Device I’ve Ever Seen’ [Paul/Security Ledger]