Internet of Hacked Things: Drug Pumps

deanwebb · May 05, 2015, 02:02:54 PM

https://threatpost.com/vulnerability-riddled-drug-pumps-open-to-takeover/112629

"Don't buy a Hospira PCA drug pump to do security stuff. Busybx no passwd shell on 23, no-auth CGIs, also never hook it up to a human being."

Otanx · May 05, 2015, 05:46:20 PM

I have given up with following the IoT stuff compromises. I just assume I could break into it by breathing at it. I don't even see this as the worst one. Article from 2008 http://www.nytimes.com/2008/03/12/business/12heart-web.html?_r=0

Basically if you have a pacemaker, and I can get you to put a device in your breast pocket I can stop your heart. I am just glad I don't work security in the medical field.

-Otanx

deanwebb · May 05, 2015, 08:10:42 PM

Thing is, people should be doing security before putting devices on the market. Usually, a gadget maker is so stoked to have a working gadget, he gets backers to back him, they make it, they sell it, it's in every (something) in America and half the market in Europe and then OH NOES IT CAN BE H4XX0R3D!!!!!

Security doesn't just mean "keep it from being stolen." Security means "safe to use."

Otanx · May 05, 2015, 08:48:26 PM

I agree whole-heartedly with security needing to be baked in from the get go. That is the big problem with the entire Internet of Things. These were devices (like the drug pump) that started out as stand alone units. Then one of their customers came along, and said "Hey, it would be cool if I could remotely monitor these drug pumps at the nurses station instead of having to send a nurse to every room to make sure the drug pump is still working." Then the vendor thinks about it, and decides the easiest way to do this is to drop a small computer with wifi on it inside the drug pump, and setup some serial lines to read and write data to the hardware that actually runs the pump. This is incredibly trivial to do. They don't even need to hire an IT guy. The EEs that designed the pump can bang it together pretty easily. Throw a pretty web front end on it, and oh, leave telnet open in case we need to troubleshoot something. Boom! Their marketing team gets to go out and sell these cool new remotely controlled drug pumps.

-Otanx

icecream-guy · May 06, 2015, 07:28:58 AM

Just like with network design, the customer has some ideas of doing network majik between A & B, the network guys design, and deploy said configuration, get it working. Now that it's working, it goes into production, the customer wants to see results,
it not like they are going to say, "ok, now that it's working, tear it all apart and redo the majik making it secure", that ain't gonna happen.

dlots · May 06, 2015, 09:01:25 AM

Butt loads of these on ebay, some less than $100.
PS please don't kill anyone.

deanwebb · May 06, 2015, 07:37:08 PM

I promise not to kill nobody.

Sometimes, I wonder if the fact that I don't hear of massive product tampering or mass murders due to hacking is due to that:

1) There is a shortage of good talent on both sides of the fence, and;
2) The guys with really good skillz are working for criminal or state-sponsored enterprises, which would prefer long-term leeching to crushing and killing.

That being said, if a hacktivist/terrorist actually showed up with the ability and opportunity to do a persistent campaign to destroy a company instead of just sending its web traffic to a different server, then we'd see real mayhem out there.

Annoyances like brownouts, people can endure. Imagine, though, if all power to NYC was shut down and kept shut down for a month. That's lethal business. But because that stuff's not happening, people don't believe it will happen.

It's almost like trying to get people to get flu shots. Some will, but even if the shot's free, there are those that say it'll give them the flu or that it won't work, so why bother? Or they can't spare the time, that's another excuse. But if the flu strain turns lethal, suddenly they're interested in that shot.

icecream-guy · May 07, 2015, 07:34:21 AM

Quote from: deanwebb on May 06, 2015, 07:37:08 PM

It's almost like trying to get people to get flu shots. Some will, but even if the shot's free, there are those that say it'll give them the flu or that it won't work, so why bother? Or they can't spare the time, that's another excuse. But if the flu strain turns lethal, suddenly they're interested in that shot.

Influenza can be lethal, in the United States, CDC models estimated an annual overall average of 6,309 deaths

ref:
http://www.cdc.gov/mmwr/preview/mmwrhtml/mm5933a1.htm

deanwebb · May 07, 2015, 05:11:15 PM

True, but unless someone *right next to me* got it real bad, I don't think it can happen to me. So why bother?

Similar logic flow to "I'd rather be thrown clear in a wreck."

that1guy15 · May 08, 2015, 09:09:21 AM

Dude half the apps and devices in the medical field from a IT perspective are absolute shit. I thought GOV applications where trash but medical takes the cake.

I still have apps that dont support DNS or DHCP. They are that old! And the vendors with their recommended designs/deployment models are horrible. Its like Im stepping back in time and working with technology out of the 80s-90s. Whats makes it all worse is you only have a couple options for various solutions and they all equally blow.

Security is a joke. The only thing further from their view than security is IPv6.

Reggle · May 08, 2015, 09:25:41 AM

Quote from: that1guy15 on May 08, 2015, 09:09:21 AMI still have apps that dont support DNS or DHCP.

Or a default gateway. Yes I know the medical field.

deanwebb · May 08, 2015, 09:37:59 AM

Note to self: don't ever do security in the medical sector.