https://www.youtube.com/embed/htqOu846ycw
It's one thing to talk about security vulnerabilities in a product, but another to provide a proof-of-concept demonstration showing the device being hacked.
That's what occurred last month when BlackBerry Chief Security Officer David Kleidermacher and security professional Graham Murphy showed how easy it is for hackers to take control of a hospital drug infusion pump by overwriting the device's firmware with malicious software.
The hack would allow someone to remotely administer a fatal drug dose to patients.
Although the video demonstration, conducted at the Blackberry Security Summit in New York, doesn't identify the model and brand of the pump being attack, security researcher Billy Rios says it's the Lifecare PCA drug infusion pump made by Hospira, an Illinois-based firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.
Rios knows this because the demonstration is using vulnerabilities he uncovered in several models of drug infusion pumps made by Hospira—the PCA, PCA3, PCA5, Symbiq, Plum A+, and the Plum A+3.
As previously reported by WIRED, those security problems would allow attackers to raise the software-defined upper limit on the dosage delivered to a patient before then administering a deadly dose.
Although the FDA issued an alert about the PCA3 and PCA 5 pumps earlier this year, it declined to warn hospitals about the other models. And it's unclear if hospitals have heeded the warning about any of the unsecured devices.
