McAfee researchers found out how change the operation of medical pumps and their controllers, used to deliver medications to patients remotely and automatically, manufactured by German medical technology, B. Braun Melsungen.
According to WIRED, researchers have found that committed cybercriminals can access a hospital’s network and take command of a control unit for these medical bombs, called the B. Braun Space Station. The attack in practice is not easy to reproduce, but when it comes to medical procedures, which deal with the lives of their patients, great care is not enough.
With control of the Space Station, criminals can exploit four other security vulnerabilities in this communication system between the Space Station and the medical bombs and with that control the amount of medication being served to the patient.
“We pulled all the wires we could and, in the end, we found the worst possible scenario […] We show that it is possible to double the flow rate [do medicamento]. As an intruder, you shouldn’t be able to move back and forth from the Space Station to the actual operating system of the bomb, breaking the security threshold and gaining access to be able to interact between the two — it’s a real problem“, Steve Povolny, head of security research at McAfee, told WIRED.
In response to McAfee’s discovery, B. Braun Melsungen urges its solutions’ client hospitals to use the most up-to-date software for their devices and to review the security of their networks with specific professionals and companies. Nonetheless, according to McAfee researchers the problem has not yet been officially resolved.
In addition to being able to control the flow of the drug, the researchers also realized that the device communicates with a switch in plain text, without encryption (one of the biggest software security sins), and which also have vulnerabilities that allow you to install malware on the device.
legacy security issue
As we know, hospitals are establishments equipped with a vast amount of electronic and intelligent equipment, controlled remotely, either via the internet or by internal controllers. Some of these smart devices used by hospitals to help keep their patients alive are often developed with little concern for security and can be easily hacked.
Security vulnerabilities in medical devices like these are nothing new. As WIRED explains, between 2005 and 2009, the Food and Drug Administration (FDA), a US agency equivalent to ANVISA in Brazil, received about 56,000 complaints involving infusion pumps, some cases of serious injuries and even death.
About this recent discovery, the FDA said it will contact researchers, review the information and coordinate a safety update with the medical device manufacturer.
“We want to make sure that institutions and facilities using these solutions realize that this is a real risk […] Ransomware attacks may even be more likely now, but we cannot ignore the fact that it exists,” concluded the McAfee researcher.