After more than 400 days
Posted: Thu Feb 13, 2025 4:31 am
More than a year ago, he reported a series of vulnerabilities in the control system of an H-made infusion pump to the Department of Health, the Department of Homeland Security, and the Food and Drug Administration. The bugs were minor, such as allowing an unauthorized person to remotely increase the maximum limit for administering medications.
the manufacturer still hasn't bothered to release a single patch.
In April of this year, another independent researcher made some of these vulnerabilities public, causing a stir.
Moreover, vulnerabilities were found in other equipment as well.
Among the vulnerabilities are the ability to forge a list of v for an infusion pump; unauthorized access to the interface of the communication module with root access; identical hard-coded login and password in all devices; identical secret keys; identical encryption certificates; many outdated programs (more than 100 different vulnerabilities).
If an attacker can replace the firmware on a device (theoretically, he has such rights), then he can do anything. In particular, a hacker managed for the first time to remotely increase the dosage of a drug that a patient receives through an infusion pump, up to a lethal dosage. Remote access to the pump is possible from anywhere within the hospital's local network or via the Internet, if the attacker manages to enter the hospital's local network.
- Chief, but this is practically a license to kill!
- That's right, Rita! That's why we're creating a top-secret project, and you and Mark will most likely head it. You can choose any people from our department, as well as graduate students from the Academy. If you know any of the graduates who are currently working elsewhere (no matter if they're state or private companies), write to them and they will be called up for service by order of the Emperor. The goal of the project is penetration testing in all hospitals and clinics. Naturally, you will report to me personally about the testing. We will restore order.
the manufacturer still hasn't bothered to release a single patch.
In April of this year, another independent researcher made some of these vulnerabilities public, causing a stir.
Moreover, vulnerabilities were found in other equipment as well.
Among the vulnerabilities are the ability to forge a list of v for an infusion pump; unauthorized access to the interface of the communication module with root access; identical hard-coded login and password in all devices; identical secret keys; identical encryption certificates; many outdated programs (more than 100 different vulnerabilities).
If an attacker can replace the firmware on a device (theoretically, he has such rights), then he can do anything. In particular, a hacker managed for the first time to remotely increase the dosage of a drug that a patient receives through an infusion pump, up to a lethal dosage. Remote access to the pump is possible from anywhere within the hospital's local network or via the Internet, if the attacker manages to enter the hospital's local network.
- Chief, but this is practically a license to kill!
- That's right, Rita! That's why we're creating a top-secret project, and you and Mark will most likely head it. You can choose any people from our department, as well as graduate students from the Academy. If you know any of the graduates who are currently working elsewhere (no matter if they're state or private companies), write to them and they will be called up for service by order of the Emperor. The goal of the project is penetration testing in all hospitals and clinics. Naturally, you will report to me personally about the testing. We will restore order.