A widely used infusion pump can be remotely hijacked, say researchers

A workstation used to dock an infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled, according to security researchers.

Researchers at healthcare security firm CyberMDX found two vulnerabilities in the Alaris Gateway Workstation, developed by medical device maker Becton Dickinson.

Infusion pumps are one of the most common bits of kit in a hospital. These devices control the dispensing of intravenous fluids and medications, like painkillers or insulin. They’re often hooked up to a central monitoring station so medical staff can check on multiple patients at the same time.

But the researchers found that an attacker could install malicious firmware on a pump’s onboard computer, which powers, monitors and controls the infusion pumps. The gateway run on Windows CE, commonly used in pocket PCs before smartphones.

In the worst-case scenario, the researchers said it would be possible to adjust specific commands on the pump — including the infusion rate — on certain versions of the device by installing modified firmware.

The researchers said it was also possible to remotely brick the onboard computer.

The bug was scored a rare maximum score of 10.0 on the industry standard common vulnerability scoring system, according to Homeland Security’s advisory. A second vulnerability, scored at a lesser 7.3 out of 10.0, could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser.

The researchers said creating an attack kit was “quite easy” and “worked consistently,” said Elad Luz, CyberMDX’s head of research, in an email to TechCrunch. But the attack chain is complex and requires multiple steps, access to the hospital network, knowledge of the workstation’s IP address and the capability to write custom malicious code.

In other words, there are far easier ways to kill a patient than exploiting these bugs.

CyberMDX disclosed the vulnerabilities to Becton Dickinson in November and to federal regulators.

Becton Dickinson said device owners should update to the latest firmware, which contains fixes for the vulnerabilities. Spokesperson Troy Kirkpatrick said the pump is not sold in the U.S., but would not say how many devices were vulnerable “for competitive reasons.”

“There are about 50 countries that have these devices,” said Kirkpatrick. He confirmed that eight countries have more than 1,000 devices, three countries have more than 2,000 devices, but no country has more than 3,000 devices.

The flaws are another reminder that security issues can exist in any device — particularly life-saving equipment in the medical space.

Earlier this year, Homeland Security warned about a set of critical-rated vulnerabilities in Medtronic defibrillators. The government-issued alert said the device’s proprietary radio communications protocol did not require authentication, allowing a nearby attacker in certain circumstances to intercept and modify commands over-the-air.