When Billy Rios needed emergency surgery last summer after cerebral spinal fluid began leaking through his nose, he was only partly focused on his life-threatening condition. That's because Rios was distracted by the computerized drug-infusion pumps Stanford Medical Center used to administer medication to him and other patients. As a security researcher, Rios realized he'd purchased the same models of pumps months earlier on eBay in order to examine them for security flaws. As he watched the pump dose him with meds, all he could think about were the holes he'd found in one of the brands that made it susceptible to hacking.

The brand in question was the popular LifeCare PCA drug infusion pump sold by Hospira—an Illinois firm with more than 55,000 of the intravenous drug pumps in hospitals around the world. The pumps are touted for having extra safety measures that reduce medication errors and prevent patient harm and deaths.

But Rios found that the Hospira systems don't use authentication for their internal drug libraries, which help set upper and lower boundaries for the dosages of various intravenous drugs that a pump can safely administer. As a result, anyone on the hospital's network—including a patient in the hospital or a hacker accessing the pumps over the internet—can load a new drug library to the pumps that alters the limits, thereby potentially allowing the delivery of a deadly dosage. Rios did not find that a hacker could alter an actual drug dosage, but rather that they could change the allowable upper limit for a given drug, meaning that someone could then accidentally (or otherwise) set the pump to give too high or too low a dose. And according to Rios, additional research could yet uncover other vulnerabilities. Researchers examining different drug infusion pumps last year, for example, found that those pumps had a web interface that would allow attackers to access and alter dosages.

Dr. Robert Wachter, associate chair of UC San Francisco's Department of Medicine, says the issue is less concerning than if the flaws Rios found allowed someone to alter drug dosages. But because the dosage boundaries in drug libraries are designed to prevent deaths and overdoses, which happen more often than patients think, raising the limit in a pump's library means a hospital could fail to catch a dosage mistake and cause serious harm to patients.

"The risk from changing the bumpers—the high and low permissible doses—doesn't seem to be very high," Wachter says. "It's probably not going to kill someone today. But in a big institution giving 100,000 medications over the course of a month, screwing around with those bumpers is going to cause harm at some point. That worries me. Anything like this at some point will kill someone."

Wachter should know; his recently published book, Digital Doctor, focuses on the ways digital medical systems can go wrong. One excerpt published last week by Medium described an overdose scenario in which a nurse accidentally administered pills to a teenager that were 38 times his proper dosage, triggering a grand mal seizure.

The Hospira Pumps

The Hospira LifeCare pumps have been on the market since 2002 and, according to the company's web site, are "designed specifically to help prevent medication errors that commonly arise" by offering features that "enhance safe delivery" of drugs. One way it does this is to integrate drug libraries into its pumps. Such libraries exist for every medication to set parameters for their safe use. Drug limits, for example, differ for infants, children and adults. For infants and children, dosages are often based on weight, and in adults can vary depending on gender. The libraries setting these limits are loaded to the pumps, so that if a medical practitioner attempts to administer a dosage that exceeds the safe limit, the pump will generate an alert.

The Hospira pumps also use barcodes to reference the correct drug library. A medical practitioner scans the barcode on the intravenous drug package, and a serial number in the barcode tells the pump which drug library to consult to ensure that the dosage entered into the machine by the practitioner doesn't exceed the acceptable limit coded into that drug's library. If a nurse enters the wrong dosage, the pump is supposed to issue an alert.

"This novel technology decreased the dangers of inadvertent human error and significantly reduced the risks associated with under-/over-medication dosing, due to wrong concentration," the company notes in a press release.

Billy Rios

The pumps communicate with MedNet "safety software," a Windows-based operating system designed by Hospira that gets installed on a hospital server to send drug library updates to the pumps. The updates are processed by a communication module built into each pump. The pumps operate in listening mode so that new drug libraries and updates to existing ones can be pushed out to them as needed. To achieve this, the pumps listen through four ports—port 23 (for telnet communication), port 80 (for normal http traffic), port 443 (for https traffic) and port 5000 (for UPnP). The pumps also can use their own WiFi connection for communication.

Rios found several security problems with the MedNet software itself that hospitals use to communicate with the Hospira pumps. MedNet servers not only monitor the pumps in a hospital and send them drug libraries and updates, they're also used to make configuration changes to the pumps and issue firmware updates and patches. Rios found four critical vulnerabilities in this management software that would allow hackers to install malware on them and use them to distribute unauthorized drug libraries to pumps or alter their configurations.

Among the vulnerabilities are a plaintext password that Hospira hardcoded into its software, which an unskilled attacker could use to exploit a SQL database in the system and gain administrative control over the MedNet server. Additionally, the system has hardcoded cryptographic keys that can be captured by an attacker and used to decrypt communication between the server and the pumps. The system also stores usernames and passwords in plaintext. All of these, along with another vulnerability Rios found in the MedNet system would allow an attacker to run malicious code on the server and take control of it to distribute rogue drug libraries to the pumps or alter their configurations.

But, it turns out, an attacker doesn't actually have to take control of the server to send a rogue library to a pump. Because the pumps themselves don't bother to check whether the system sending them updates is the MedNet system, any system on the hospital's network can access the pumps to install a new library or anyone can reach out to them over the internet through one of their internet-facing ports, and do the same.

Hospira pumps do use validation IDs that are embedded in the header of drug library updates and in the libraries themselves to help ensure that data in a library hasn't been corrupted or altered in transit— which is similar to how checksums verify that software hasn't been altered after it was compiled. Each drug library has a different validation ID.

But the IDs don't help the pump determine that an update is legitimate or came from a trusted source. And both of these IDs—the one in the header and in the library—can be easily spoofed. Rios was able to reverse-engineer the system to determine how the validation IDs are generated and write a Java applet to do it automatically. "The way you generate those codes is the same for every single deployment [of the Hospira pump] in the world," he says.

This, combined with the fact that updates can simply be pushed out to a pump instead of the pump being required to contact a trusted server, is a surprisingly poor design for a critical system. Rios points out that even Apple iPhones have a more secure system for getting updates. When a user wants to install an update to an iPhone, the phone has to download it from Apple's server and verify its integrity by checking the update's digital signature.

"At no time can arbitrary users on the same network 'push' an application to your iPhone," Rios notes. "We have to go some place and pull that application. The pumps should [also] be pulling drug libraries from a place that they know is trusted. That way you just have to secure that one place. But the way [Hospira] architected their pumps is that anything on the network can push any update to any pump."

Rios says there's currently no way for someone to verify that data in a pump's drug library is correct. The pump can display a version number for the library, but not what's in the library. As such, there's no way to see the maximum dosage that's configured into a particular drug library on a particular pump. "If you suspected the pump did something bad, you wouldn't be able to inspect the contents of the library on the pump. You'd have to take the pump and pull the library out of the memory," he notes.

Rios suspects that other pumps made by Hospira have the same vulnerabilities.

Hospira did not respond to an initial request for comment but contacted WIRED after this story was published. "Exploiting vulnerabilities requires penetrating several layers of network security enforced by the hospital information system, including secure firewalls," spokeswoman Tareta Adams said in an email. "These network security measures serve as the first and strongest line of defense against tampering and the pumps and software provide an additional layer of security."1

Rios reported the vulnerabilities last year to the Department of Homeland Security's ICS-CERT, which maintains a program for uncovering and patching holes in industrial control systems. ICS-CERT notified Hospira and the Food and Drug Administration, which oversees the certification of medical equipment. According to Rios, Hospira initially refused to fix the vulnerabilities and stated that it had no interest in determining whether other infusion pumps in its product line possessed the same vulnerabilities. But last week DHS issued an alert. Hospira released a new version of its MedNet software recently but the company's spokeswoman said this was not in response to Rios's findings.

"Recent updates have not been made because of or to coincide with the Department of Homeland Security advisory," she noted. "The advisory discussed potential vulnerabilities in Hospira MedNet versions 5.8 and prior. Hospira first released Hospira MedNet version 5.8 in 2012 and has since released two additional versions of the software."2

Rios says he was told the pumps are currently undergoing re-certification by the FDA, because the fix requires a core change to the firmware's design to ensure that only legitimate drug libraries from a trusted source can be installed on them. The Hospira spokeswoman, however, says, "The LifeCare PCA device is not being recertified by the FDA."

She said that there are already protections in place that would prevent someone from installing an unauthorized drug library on the device, but did not say what those protections are.

1;2UPDATE 12:28 ET 04/11/15: This story was updated to include statements from Hospira provided after this story was published.