Home / Security / Security: A widely used infusion pump can be remotely hijacked, say researchers

Security: A widely used infusion pump can be remotely hijacked, say researchers

Security:

A workstation used to dock an infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled, according to security researchers.

Researchers at healthcare security firm CyberMDX found two vulnerabilities in the Alaris Gateway Workstation, developed by medical device maker Becton Dickinson.

Infusion pumps are one of the most common bits of kit in a hospital. These devices control the dispensing of intravenous fluids and medications, like painkillers or insulin. They’re often hooked up to a central monitoring station so medical staff can check on multiple patients at the same time.

But the researchers found that an attacker could install malicious firmware on a pump’s onboard computer, which powers, monitors and controls the infusion pumps. The gateway run on Windows CE, commonly used in pocket PCs before smartphones.

In the worst-case scenario, the researchers said it would be possible to adjust specific commands on the pump — including the infusion rate — on certain versions of the device by installing modified firmware.

The researchers said it was also possible to remotely brick the onboard computer.

The bug was scored a rare maximum score of 10.0 on the industry standard common vulnerability scoring system, according to Homeland Security’s advisory. A second vulnerability, scored at a lesser 7.3 out of 10.0, could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser.

The researchers said creating an attack kit was “quite easy” and “worked consistently,” said Elad Luz, CyberMDX’s head of research, in an email to TechCrunch. But the attack chain is complex and requires multip

Read More

About admin

Check Also

Security: FBI Takes Down Site With 12 Billion Stolen Records

Security: FBI Takes Down Site With 12 Billion Stolen Records

Turkey gets Wikipedia back, Mayor Pete loses his cyberguy, and more of the week's top security news.Photograph: Max Oppenheim/Getty ImagesYou’ve read your last complimentary article this month. Subscribe Now. If you’re already a subscriber sign in.Brian Barrett is the digital director at WIRED, covering security, consumer technology, and anything else that seems interesting. Prior to…

Leave a Reply

Your email address will not be published. Required fields are marked *