Yesterday Neil Versel of MedCityNews reported about an alleged firmware-based attack against a Hospira medical device was a sham, the ‘hacker’ staged it, at least that is the response from the medical device maker. Excerpt of Neil’s article:
“In the video, filmed during a live demonstration on stage at the recent BlackBerry Security Summit 2015 in New York, BlackBerry’s Graham Murphy physically connected a laptop to the pump’s Ethernet port, then took control of the medical device. He then did the same via Wi-Fi. In both cases, he relied on the fact that the FCC ID on the pump helped Murphy identify the specific, fixed IP address associated with the product. But Hospira said BlackBerry also did something the audience did not see. “Part of our investigation into the LifeCare PCA infusion pump demonstration included a conversation with one of the ‘hackers’ who admitted that they manipulated the firmware on the device by having physical access to it prior to their demonstration of the hack. This was not a remote or wireless ‘hack’ as the video implied and physical access to the device would be required to alter the settings as shown in the video,” the Hospira statement said. “These demonstrated hacks were done in non-clinical environments without the security protections and protocols typical of real patient care settings. For patient use, these devices are connected to hospital networks and any attempts to remotely attack an infusion device would require penetration of several layers of network security enforce by the hospital, including firewalls. These measures serve as the primary defense against tampering with a medical device.” At least let’s hope every hospital that uses one of these pumps has better security. If not, you probably should avoid treatment there just to be safe, and the CIO should be fired. Just sayin’.
Full article:
http://crackberry.com/blackberry-security-summit-2015-live-blog
There’s a lot of history here:
http://www.cvedetails.com/vulnerability-list/vendor_id-15332/product_id-32031/Hospira-Lifecare-Pcainfusion-Firmware.html
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm446809.htm
http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/
Security hole in Hospira hospital drug pumps could let through fatal doses
https://www.google.com/?gws_rd=ssl#q=hospira+firmware+security
Firmware Security 