This afternoon the DHS ICS-CERT published an advisory for twin vulnerabilities in the Hospira LifeCare PCA Infusion System. The vulnerabilities were reported by Billy Rios. Hospira has developed a new version of the software that is awaiting FDA approval. There is no indication that Billy has been given an opportunity to verify the efficacy of the fix.
The ICS-CERT Advisory
ICS-CERT reports that the twin vulnerabilities are:
∙ Improper authorization - CVE-2015-3459; and
∙ Insufficient verification of data authenticity - CVE-2014-5406
According to ICS-CERT a relatively unskilled attacker could remotely exploit ‘one of these vulnerabilities’ (apparently CVE-2015-3459), the other would require more skill. Hospira is only making their report on these vulnerabilities available by phone request.
ICS-CERT reports that there are no known exploits of these vulnerabilities publicly available, but they are releasing the advisory before the fix is in place (ICS-CERT reports working with the vendor since May of last year) because of a public release of vulnerability.
The Public Release
ICS-CERT does not describe the release that triggered the early release of this vulnerability, but there is certainly an in-depth discussion of the vulnerability on the 0XTECH Security Blog that was published last week. Actually, if this is the public discussion that ICS-CERT knew about that required an early release, they did a real disservice to the medical device security community because they seem to have left out a number of vulnerabilities; very critical vulnerabilities in my opinion.
Probably the most important to my mind is that the device stores the encryption keys for access to the hospital wireless network in plain text. This allows access to all other Hospira infusion pumps on the same network.
Jeremy Richards, the blog author, also reports that there hard coded accounts on the devices with inadequately hashed passwords and the web server being used on the device has uncorrected vulnerabilities that have been publicly disclosed.
Oh, there is an interesting back and forth between Richards and a medical device expert in the comments section. That expert belittles the severity of the vulnerabilities that Richards disclosed, but his arguments sounded week and pretty poorly informed.
Maybe an Alert was More Appropriate
The interesting thing here is that according to a ThreatPost article posted today, these vulnerabilities were all discovered by Richards, not Rios (Richards does acknowledge prior work by Billy on the Hospira MedNet vulnerabilities). It could be that there were actually separate discoveries of different vulnerabilities on the same device. Or it could be that Richards simply found the same vulnerabilities on the infusion system devices that Billy found earlier on the MedNet devices (they do sound somewhat similar).
If they were separate vulnerabilities, ICS-CERT might have better served the public by issuing an alert for the vulnerabilities publicly reported by Richards and held off on the Rios based advisory until the FDA validated the newer version of the software.
FDA Cybersecurity Problem
One final point in passing; it has been almost a year now since Billy reported his vulnerabilities. Somewhere in that years’ time Hospira wrote a new version of the affected software (there is no indication of when in the Advisory) and now the FDA is reviewing the issue. A quick search of the FDA web site does not show any recall of these devices for the vulnerabilities that either researcher note or even a warning note to users about the vulnerabilities. There have, however, been two recalls for problems with a plastic door that does not necessarily stay closed. It may provide access to drugs, you know.
I’m absolutely sure (well at least pretty sure) that ICS-CERT would have included the FDA in its coordination of this vulnerability. So why has the FDA ignored the issue? Probably the same reason that they have generally written off cybersecurity issues in general; it’s just not their job. And that is a damn shame.
BTW: There was a new Siemens-CERT advisory issued yesterday that I had expected to see today on ICS-CERT. It didn’t make it; maybe tomorrow.