The LifecarePCA is a drug infusion machine for hospital patients, designed to correctly administer the right dosage of medicine straight into the arm of a person in need. When it works as it should, mechanical precision thwarts human error and eases care. If someone with malicious intent were to gain control of the system, however, they could instead inject all of a painkiller vial into a victim at once. Recent work by security researcher Billy Rios shows that the LifecarePCA system, as well as five other models of drug delivery machines by Hospira, is vulnerable to hacks that can change the dosage of the drug delivered.
The pumps access a drug library–a digital reference that contains important information, such as appropriate dosage limits based on a patient’s age, gender, and weight, to prevent the machine from accidentally giving a harmful amount. The machine is very trusting, so whenever it accesses a drug library on the hospital’s network, it assumes that it’s the right library and doesn’t ask for authentication. That means anyone with access to the hospital network can potentially upload a new library that says they can give a lot more or a lot less of a given drug.
Alone, this is bad. What makes it worse is that a separate vulnerability in the devices allows an attacker to alter the firmware to tell the device to give an inaccurate dosage. Firmware, preinstalled on the device by the manufacturer, is the sort of background software that generally goes unnoticed. When a manufacturer realizes they have a bug in their product, they send out a firmware update, but most users never directly interact with it.
Yet, there’s no authentication process between the company sending out a firmware update and the machine checking it. So it’s possible that a hacker can send out a devious “firmware update,” tricking the machine into giving lethal dosage amounts. Normally, the machine checks these doses against the drug library and issues an alert if incorrect, but an altered drug library means the high dosage will be unnoticed. According to Rios’ research, while the consequences for a malicious hack of this kind are huge, the possibilities of a hack go way down if the company makes it so the machines require authentication from the company so that only official upgrades go through.
As with most medical device hacks, the shock is more akin to, “I can’t believe they left the door unlocked,” than it is, “These machines invite lethal tinkering.” Security researchers like Rios look in advance for problems in devices that companies may not have thought of, or might be dragging their feet on, before they become deadly vulnerabilities. Rios reported his initial research on this to the FDA, which oversees and regulates medical devices. Last month, they published an alert on the weaknesses in the pumps.