By Ian Darwin on 2015-05-07 04:00 in Category: securityAccording to a 2015-05-07 article in SANS @RISK: The Consensus Security Vulnerability Alert, Vol. 15, Number 18 (which you can get for free by signing up at https://www.sans.org/account):
"The Hospira LifeCare PCA3 Drug Infusion Pump has been found to contain multiple remotely exploitable security vulnerabilities. Vulnerabilities such as the ability for an attacker to get an unauthenticated remote root shell, hardcoded local accounts with administrative privileges, storage of wireless keys in clear text, and the use of additional software packages that have had security patches released since the device has shipped are some of the vulnerabilities found within the device. The U.S. Dept. of Homeland Security has issued an advisory, indicating that the vendor is currently working to patch these vulnerabilities." For more details, see http://hextechsecurity.com/?p=123It seems that everyone - the F.D.A, the manufacturers, and everyone who tested this thing - has failed the most vulnerable person here - the hospital patient whose drugs are administered by this exploitable pump. It's only been about TEN YEARS since an episode of TV show Law&Order showed a vengeful nerd exploiting just such a vulnerability in just such a pump to kill people. Nothing has changed.