Healthcare security firm CyberMDX has discovered two bugs affecting a popular infusion pump, allowing hijackers to remotely access and control it. Homeland Security has disclosed the vulnerabilities in the Alaris Gateway Workstation, a hospital pump that delivers fluids into a patient's body in a controlled manner, detailing how they can be exploited and fixed. The researchers found that attackers could exploit the bugs to install malware on the pump's onboard computer running Windows CE, which powers and controls the device.
They also found that attackers can use the vulnerabilities to remotely kick the pumps offline, as well as adjust specific commands. For instance, they could change its configuration, which will alter infusion rates and change the dosages patients get. CyberMDX told TechCrunch that creating an attack kit is "quite easy," but the actual infiltration process can be pretty complex. It requires multiple steps and, among other things, the knowledge of a particular workstation's IP address. As TC noted, it'll be hard to actually kill a patient using the bugs.
Even so, hospitals are advised to secure their devices by updating their software -- the bugs can only be exploited on older firmware. Especially since the pump is just one of the medical devices that can be hijacked these days. Vulnerabilities in medical equipment have become a big issue lately that the FDA is asking manufacturers to boost their cybersecurity measures and protect products like pacemakers and insulin pumps from cyberattacks.
Update 06/14/19 11:20AM ET: A spokesperson from BD, the company behind the infusion system, has told us that the Alaris Gateway Workstation isn't its most widely used pump and that it's not sold in the US. While the flaws can be fixed simply by updating its software, BD will roll out a patch for those who don't (or can't) update their software over the next 60 days.