Security researcher Billy Rios has discovered vulnerabilities in several models of popular drug infusion pumps from manufacturer Hospira that would allow an attacker to remotely administer a lethal dose of medication to a patient.
As Wired points out, Rios has discovered vulnerabilities in Hospira’s standard PCA LifeCare pumps, its PCA3 LifeCare and PCA5 LifeCare pumps, its Plum A+ pumps and its Symbiq line of pumps which were discontinued in 2013.
More than 400,000 of the Illinois-based firm’s intravenous drug pumps are installed at hospitals around the globe.
Rios said he has personally tested the aforementioned machines to confirm the vulnerability although he suspects the company’s Plum A+3, Sapphire and SapphirePlus models may exhibit the same flaw.
Earlier this year, Rios went public with a separate vulnerability that would allow nearly anyone to raise the upper and lower limits for dosages on select Hospira pumps by altering their drug libraries. By combining this vulnerability with the new ones, an attacker could potentially raise the dosage above the maximum limit before administering a lethal dosage which would prevent the pump from sounding an alert.
The researcher notes that the problem lies in the fact that Hospira pumps will accept any firmware update. Ideally, the pumps should only accept firmware updates that are authenticated and digitally signed.
Hospira reportedly didn’t believe the initial vulnerability existed when Rios brought it to their attention last year. The company declined to respond to a request for comment from Wired. To prove it’s possible, Rios said he is building a proof-of-concept that he will show off at next month’s SummerCon security conference.
Image courtesy Billy Rios