Latest in Gear

Image credit:

Bugs in a popular hospital pump may let attackers alter drug dosages

Homeland Security is advising hospitals to update their software.
193 Shares
Share
Tweet
Share

Sponsored Links

Alaris

Healthcare security firm CyberMDX has discovered two bugs affecting a popular infusion pump, allowing hijackers to remotely access and control it. Homeland Security has disclosed the vulnerabilities in the Alaris Gateway Workstation, a hospital pump that delivers fluids into a patient's body in a controlled manner, detailing how they can be exploited and fixed. The researchers found that attackers could exploit the bugs to install malware on the pump's onboard computer running Windows CE, which powers and controls the device.

They also found that attackers can use the vulnerabilities to remotely kick the pumps offline, as well as adjust specific commands. For instance, they could change its configuration, which will alter infusion rates and change the dosages patients get. CyberMDX told TechCrunch that creating an attack kit is "quite easy," but the actual infiltration process can be pretty complex. It requires multiple steps and, among other things, the knowledge of a particular workstation's IP address. As TC noted, it'll be hard to actually kill a patient using the bugs.

Even so, hospitals are advised to secure their devices by updating their software -- the bugs can only be exploited on older firmware. Especially since the pump is just one of the medical devices that can be hijacked these days. Vulnerabilities in medical equipment have become a big issue lately that the FDA is asking manufacturers to boost their cybersecurity measures and protect products like pacemakers and insulin pumps from cyberattacks.

Update 06/14/19 11:20AM ET: A spokesperson from BD, the company behind the infusion system, has told us that the Alaris Gateway Workstation isn't its most widely used pump and that it's not sold in the US. While the flaws can be fixed simply by updating its software, BD will roll out a patch for those who don't (or can't) update their software over the next 60 days.

In this article: gear, security
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
193 Shares
Share
Tweet
Share

Popular on Engadget

Engadget's 2020 Back-to-School Guide

Engadget's 2020 Back-to-School Guide

View
The Morning After: Google's $350 Pixel 4a is the best midrange phone you can buy

The Morning After: Google's $350 Pixel 4a is the best midrange phone you can buy

View
A $13,000 electric car will go on sale in the US by late 2020

A $13,000 electric car will go on sale in the US by late 2020

View
'Avengers: Endgame' directors will make Netflix's most expensive film yet

'Avengers: Endgame' directors will make Netflix's most expensive film yet

View
China won't accept 'theft' of TikTok, according to state newspaper

China won't accept 'theft' of TikTok, according to state newspaper

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr