When researcher better safetys Billy Rios reported in early 2015 that he had discovered vulnerable points on a popular drug infusion pump that allows hackers to increase the dose limit of drugs given to patients, no one was as concerned as they should have been.
The alteration of the permitted limits of drugs simply meant that if a caregiver accidentally instructed the pump to give a too high or too low dose, the pump would not give any warning.
But the same researcher recently announced that the pumps had vulnerabilities that allow hackers to substantially change the dosage.
Billy Rios reports that he has discovered far more serious weaknesses in several pump models of the same manufacturer, which allow hackers to secretly and remotely change the amount of medication given to a patient.
"This is the first time we know we can change the dosage," Rios told Wired.
The vulnerabilities are known to affect at least five models of the drug infusion pumps made by Hospira, an Illinois company that has sold more than 400.000 intravenous drug delivery pumps to hospitals around the world.
Vulnerable models include the company's standard PCA Lifecare pumps: PCA3 LifeCare and PCA5 LifeCare pumps. The Symbiq line pumps, which the company stopped selling in 2013 for issues quality and safety as well as Plum A+ pumps. Hospira has made at least 325.000 of the latest model available to hospitals around the world.
These are the systems that Rios knows with confidence that they are vulnerable because he has tried them. But he suspects that the company's Plum A + 3, Sapphire and SapphirePlus models also have security concerns.
The new vulnerabilities discovered by Billy Rios allow attackers to remotely change the pump firmware, giving them complete device control and the ability to change doses provided to patients.
However, it is also important that the attackers could also change the pump display to indicate that the dosage is normal.
Ο Billy Rios will present the first PoC at the SummerCon security conference to be held in Brooklyn, New York next month.
