Several Hospira Drug Pumps Use Vulnerable Software: Researcher

Wednesday, June 10, 2015

Eduard Kovacs


A researcher who has analyzed the software installed on infusion pumps manufactured by Hospira says several models are plagued by the vulnerabilities disclosed earlier this year.

Roughly one year ago, security researcher Billy Rios privately disclosed several vulnerabilities in Hospira LifeCare patient-controlled analgesia (PCA) infusion systems. Some of the same flaws were independently identified and made public earlier this year by Canada-based researcher Jeremy Richards.

In May, both ICS-CERT and the Food and Drug Administration (FDA) published alerts to warn users about the security bugs which, according to researchers, can be exploited to take complete control of affected drug pumps and possibly even cause harm to users.

The list of security issues includes hardcoded credentials, shared private keys and encryption certificates, outdated software, improper authorization, and insufficient verification of data authenticity.

The security advisories from ICS-CERT and the FDA covered the Hospira LifeCare PCA3 and PCA5 drug infusion pumps. The vulnerabilities identified by researchers should be fixed in version 7, but this variant is still being reviewed by the FDA so it’s not yet available.

After determining that many of the vulnerabilities in PCA3 were related to design and insecure deployment, and after noticing that the vulnerable firmware contained references to other Hospira products, Rios asked the manufacturer to conduct its own analysis to determine if other drug pumps were affected as well.

Since Hospira said it wasn’t interested in verifying if its other products were vulnerable, Rios decided to conduct the tests himself. The expert has found that many of Hospira’s infusion pumps use the same software, meaning that they are affected by the same flaws as PCA3 pumps.

Rios says the vulnerabilities affect Plum A+, Lifecare PCA, and Symbiq pumps. While not confirmed, the researcher believes Plum A+3, Plum 360, Sapphire, and SapphirePlus infusion systems are also impacted. It’s worth noting that Symbiq pumps have been phased out by Hospira.

Read the rest of this article on

Breaches CVE DB Vulns US-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.