The Hospira Life care infusion pump, version 5.0 and prior runs "SW ver 412". It does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23. By attaching any device to the pump via Ethernet, one can easily extract the wireless encryption keys stored in plain text on the device and thus gain access to the keys Life critical network.
The attacker can then impact the pump configurations or medical libraries by conducting firmware updates, command execution, and drug library updates. However, Hospira maintained that the Operation of the Life Care PCA Infusion pump required the physical presence of a clinician to manually program the dosage into the pump for administration.
Even if credentials are implemented on the Telnet port there are still web services which allow a remote attacker to carry out the remote modifications. Even if that was made secure there are additional services like FTP that are open with hard coded accounts.
Billy Rios, the independent researcher who discovered these vulnerabilities has been co-ordinating with Hospira since May 2014. A new version has been developed by Hospira which mitigates these vulnerabilities and is under U.S. Food and Drug Administration (FDA) review.
In defense, ICS-CERT has advised organizations to ensure closure of unused ports, use of VPN, detaching of the pump from insecure networks and use of good design practices with network segmentation.
Impact of the vulnerability varies depending on each organization, so individual organizations need to evaluate and secure themselves based on their operational environment.
