Today the DHS ICS-CERT updated the advisory for the Hospira LifeCare PCA Infusion System that was originally issued last week. The update adds new vulnerabilities and mitigation information. Meanwhile the FDA has issued a Safety Communication on the same device.
The ICS-CERT update notes it has become aware of “additional publicly disclosed vulnerabilities in the LifeCare Infusion System”. ICS-CERT credits these reporting of these vulnerabilities to ‘tech’ apparently from the OXTECH Security blog that I mentioned in my post on the original advisory. Those vulnerabilities are:
∙ Use of hardcoded passwords - CVE-2015-1011;
∙ Clear text storage of sensitive information - CVE-2015-1012; and
∙ Vulnerable software version used – No CVE provided
The vulnerable software is a reference to vulnerable versions of AppWeb that were used by Hospira. The advisory notes that this software is known to contain numerous vulnerabilities. A listing of the CVE’s (at least) would have been helpful.
While the new version of the Hospira software is undergoing FDA review, this update provides additional mitigation measures that can be undertaken.
In what looks to be a cybersecurity first for the FDA, they have published an FDA Safety Communication about the same vulnerabilities. In fact, the FDA publication specifically references today’s ICS-CERT update for technical information about the vulnerability and mitigation measures.
An interesting component of the FDA advisory is the inclusion of a reference to voluntary reporting through MedWatch, the FDA Safety Information and Adverse Event Reporting program. They specifically ask medical providers experiencing the problems reported in this advisory to report the incidents. This would help the FDA track and report actual exploits to the medical community. ICS-CERT might want to consider establishing the same type of reporting program for exploits of reported ICS vulnerabilities.
One critical thing that appears to be missing from both of these advisories is a mention of the fact reported by ‘tech’ that access to the clear text WPA keys on the device could provide an attacker with access to the medical network to which these devices are connected. The OXTECH blog post makes it clear that even after these devices are removed from service, the presence of these keys will remain a potential threat to the networks until that memory is wiped or the machines are physically destroyed.