Soon after warning device operators that widely used infusion pumps were vulnerable to remotely exploitable bugs, the Department of Homeland Security (DHS) became aware of "additional publicly disclosed vulnerabilities” impacting the products. And, to further heighten awareness, the U.S. Food and Drug Administration (FDA) has also joined the public safety alert.
Last Tuesday, DHS' ICS-CERT told Hospira LifeCare PCA Infusion System users that an improper authorization flaw and insufficient verification of data authenticity vulnerability affected the product. But, on Wednesday, the CERT decided to amend its advisory to include more vulnerabilities afflicting versions 5 and 3 of the drug pumps.
In a Wednesday blog post, Patrick Coyle, a chemical security and cybersecurity expert in Texas, explained that the updated DHS alert followed his and OXTECH Security's warnings about other vulnerabilities which could allow hardcoded passwords to be used for device access (CVE-2015-1011), and exposed sensitive information, like stored credentials, to unauthorized parties in clear text (CVE-2015-1012). Additionally, another vulnerability, which DHS provided no CVE number for, referenced “vulnerable versions of AppWeb that were used by Hospira,” Coyle wrote.
ICS-CERT noted that the added vulnerabilities could “impact the confidentiality, integrity, and availability of the LifeCare PCA Infusion pump.” The CERT also said that exploits targeting some of the bugs “are known to be publicly available.”
The hardcoded password issue (CVE-2015-1011) was assigned a CVSS (Common Vulnerability Scoring System) base score of 10, and the bug allowing clear text storage of sensitive information (CVE-2015-1012) was assigned a base score of 6.4.
Lake Forest, Ill.-based pharmaceutical and medical device firm Hospira told DHS that it plans to retire versions 2 and 3 of the LifeCare PCA Infusion System – which is used to administer medication to patients worldwide – by the end of this year. An updated version of the LifeCare product, Version 7.0, has been developed by Hospira to address reported security issues, but it is currently under review by the FDA, the advisory noted.
In its Wednesday safety alert, FDA said that it was “actively investigating the situation” and was working closely with Hospira and DHS on the matter.
“An unauthorized user with malicious intent could access the pump remotely and modify the dosage it delivers, which could lead to over- or under-infusion of critical therapies,” the agency warned. “The FDA is not aware of any patient adverse events or unauthorized device access related to these vulnerabilities.”
DHS advised owners of the infusion pump to take certain mitigation steps to prevent exploitation, including closing unused ports, particularly Port 20/FTP and Port 23/TELNET, implementing a defense-in-depth security strategy for environments operating medical devices (by layering physical and logical security), and isolating the infusion pump from the internet and “untrusted systems."