Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches

Researcher to reveal IoT medical device dangers at Black Hat Europe this week.

An attack on a single IV infusion pump or digital smart pen can be leveraged to a widespread breach that exposes patient records, according to a Spirent SecurityLabs researcher.

Saurabh Harit, managing consultant with Spirent, will present his findings on flaws in IV infusion pumps and digital smart pens at Black Hat Europe this week.

"Perpetuators can use this patient information to file false insurance claims as well as to buy medical equipment and drugs using a fake ID. These products are then easily sold on the black market," Harit says. "What makes medical data more lucrative than the financial data is the low and slow detection rate of the fraud itself. While a credit card fraud can be detected and blocked in a matter of minutes these days, medical data fraud can go undetected for months, if not more."

Harit has notified the affected IV infusion pump and digital smart pen vendors of the vulnerabilities, which have patched the flaws, Harit says he will not reveal the names of the companies or their devices.

Smart Pen Problems

"By far the most surprising thing we came across in our research was the amount of patient information that was available with the digital smart pen," Harit says. "We felt even if we breached it, we would not get a lot of information off of it because the healthcare organization said they did not store patient information on the device."

Doctors use digital smart pens to prescribe medications for patients and that information is then digitally transmitted to pharmacies with the patient's name, address, phone number, health records, and other medical information.

But after reverse-engineering the digital smart pen, Harit found a cache of information. First he peered into the device's underlying operating system by simply connecting a monitor to the device through a serial interface.

Then, by exploiting network protocols, he obtained low-privilege access to the device. After exploiting its software and services to bypass the device's security checks and lock-down mode, he was able to gain administrative access.

Once the on-device encryption was broken, Harit gained access to sensitive configurations for the healthcare institution’s backend servers, where a treasure trove of patient medical records and other sensitive data could be found for a number of doctors and medical facilities tied to that healthcare institution that had used the digital smart pens.

"I thought this server was not connected to the Internet, but it was," Harit says.

Fixing the vulnerability in the digital smart pen was easy, though, because it's a new product and designed with security in mind, Harit says, noting that the pens can be updated remotely.

Lethal Pump

Harit's research also explored the security of an IV infusion pump, a growing target when it comes to IoT medical device attacks and one that can be lethal given that it delivers fluids, medication, and nutrients to patients.

Harit discovered that a simple $7 hardware device could interface with the IV infusion pump, read its configuration data, and understand which access point it was seeking to connect to. As a result, he established a fake access point, connected with the IV pump, and then collected sensitive medical data on an individual that included a master drug list and quantity of drugs to be taken.  

"If you have 200 of the same pumps in a hospital, an attacker could write a malware script and launch it onto the hospital network and modify the attack to search for all the pumps and attack them," he says.

The IV pump requires the creation, test, and remote deployment of a patch to fix the vulnerability, Harit says.

An attacker would need to gain physical access to the IV pump or digital smart pen to compromise them, Harit says.

He adds that task is not difficult, given the relative ease in walking into a poorly staffed hospital room or medical clinic room. Digital smart pens are small, so they are also easy to pocket, he notes.

Meanwhile, healthcare organizations that suffer a data breach typically learn about a breach from a third party, such as an insurance company, end user, a security monitoring entity, or law enforcement, Harit says.

"In most cases, the breach goes undetected for months and even years."

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Enkryptonite
50%
50%
Enkryptonite,
User Rank: Apprentice
2/9/2018 | 6:29:19 AM
I agree.
Technology as increasing day by day data is becoming more secure and the protection of that is more important .

It should be kept in a safe environment as to prevent from the unauthorized viewing.
thumbman3
50%
50%
thumbman3,
User Rank: Apprentice
12/5/2017 | 5:51:25 PM
Hack?
The hack is that with physical access to a pump you can figure out what drugs are being injected? Can't you just figure that out by reading the display?

 

There's more to this, right??
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
12/4/2017 | 8:45:36 AM
Not surprising
The sad aspect to this IoT discussion is that ANY wireless item of any kind (and I have a wireless defibulator inside of me so write from experience) has an associated IP address - obviously - associated with it and, therefore, a door for a hacker.  Does not matter WHAT type of device!!!  If it has a number and that protocol is not protected somewhere down the path, well - there you go.  Just follow the yellow IP road to Oz.  
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3622
PUBLISHED: 2020-01-22
A Cross-Site Scripting (XSS) vulnerability exists in the admin login screen in Phorum before 5.2.18.
CVE-2020-5221
PUBLISHED: 2020-01-22
In uftpd before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in versio...
CVE-2019-19834
PUBLISHED: 2020-01-22
Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed through 200.7.10.102.64 allows a remote attacker to jailbreak the CLI via enable->debug->script->exec with ../../../bin/sh as the parameter.
CVE-2019-19836
PUBLISHED: 2020-01-22
AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote code execution via a POST request that uses tools/_rcmdstat.jsp to write to a specified filename.
CVE-2019-19843
PUBLISHED: 2020-01-22
Incorrect access control in the web interface in Ruckus Wireless Unleashed through 200.7.10.102.64 allows remote credential fetch via an unauthenticated HTTP request involving a symlink with /tmp and web/user/wps_tool_cache.