Exploitable IV Infusion Pump and Digital Smart Pen Vulnerabilities Uncovered

New vulnerabilities in digital smart pens and IV infusion pumps that threatens the confidentiality, integrity, and availability of ePHI have been discovered by Spirent SecurityLabs researcher Saurabh Harit.

The vulnerabilities could be exploited to gain access to sensitive patient information, while the IV infusion pump vulnerability could also be exploited to cause patients harm, with potentially fatal consequences for patients.

Smart pens are used by doctors to write prescriptions for medications, which are then transmitted to pharmacies. While the smart pen manufacturers claim the devices do not store sensitive information, Harit was able to gain access to sensitive information through the devices and view patient names, addresses, phone numbers, clinical information, and even medical records.

Harit was able to reverse engineer the smart pens and view the operating system a monitor connected to the device through a serial interface. Initially, low-privilege access to the operating system of the smart pens was gained, but by using an exploit the researcher was able to elevate privileges to gain administrator access. Once administrative rights were gained, and the encryption was defeated, Harit was able to access the backend servers used by the healthcare organization and view sensitive information on patients of several doctors who used the smart pens. The vendors of the smart pens were notified of the flaws and patches have now been released to correct the vulnerability.

Harit also discovered a so far unpatched vulnerability in an IV infusion pump which could be exploited to administer lethal doses of drugs to patients, potentially on all IV pumps used at a particular hospital. Far from being a complex and expensive hack, it was possible with a device that could be purchased for just $7. That device allowed Harit to interface with the pump, read its configuration data, and the access point to which the device connected.

It was possible to set up a fake access point to connect to the device and collect sensitive data on the patient, including the master drug list and doses of drugs to be administered. Harit claims it would be possible to write malware that could attack all IV infusion pumps used by a hospital.

Fortunately, for the vulnerabilities to be exploited, physical access to the devices would be required.

Harit will not disclose the names of the companies or devices affected, but will present the findings on the vulnerabilities at Black Hat Europe later this week.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.