Home / Security / Security: A widely used infusion pump can be remotely hijacked, say researchers

Security: A widely used infusion pump can be remotely hijacked, say researchers

Security:

A workstation used to dock an infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled, according to security researchers.

Researchers at healthcare security firm CyberMDX found two vulnerabilities in the Alaris Gateway Workstation, developed by medical device maker Becton Dickinson.

Infusion pumps are one of the most common bits of kit in a hospital. These devices control the dispensing of intravenous fluids and medications, like painkillers or insulin. They’re often hooked up to a central monitoring station so medical staff can check on multiple patients at the same time.

But the researchers found that an attacker could install malicious firmware on a pump’s onboard computer, which powers, monitors and controls the infusion pumps. The gateway run on Windows CE, commonly used in pocket PCs before smartphones.

In the worst-case scenario, the researchers said it would be possible to adjust specific commands on the pump — including the infusion rate — on certain versions of the device by installing modified firmware.

The researchers said it was also possible to remotely brick the onboard computer.

The bug was scored a rare maximum score of 10.0 on the industry standard common vulnerability scoring system, according to Homeland Security’s advisory. A second vulnerability, scored at a lesser 7.3 out of 10.0, could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser.

The researchers said creating an attack kit was “quite easy” and “worked consistently,” said Elad Luz, CyberMDX’s head of research, in an email to TechCrunch. But the attack chain is complex and requires multip

Read More

About admin

Check Also

Security: Apple took action to repair Zoom flaw, which proves how valuable it develop into

Security: Apple took action to repair Zoom flaw, which proves how valuable it develop into

Yesterday, video conferencing service Zoom released an update for its Mac client, removing the controversial web server functionality that opened up the possibility of someone launching a video call on user's computer without permission.  But now, TechCrunch reports that Apple decided to step in regardless, launching a silent update for Macs that removes Zoom's web…

Leave a Reply

Your email address will not be published. Required fields are marked *