Digital Smart Pen and Exploitable IV Infusion Pump Weaknesses Exposed

New weaknesses in IV infusion pumps and digital smartpens that endangers the integrity, confidentiality, as well as accessibility of ePHI have been exposed by Spirent SecurityLabs scientist Saurabh Harit.

The weaknesses might be abused to access confidential patient information, whereas the IV infusion pump weakness might also be abused to begin patients harm, with possibly deadly effects for patients.

Smartpens are utilized by physicians to write recommendations for medicines, which are then transferred to drugstores. Although the smartpen producers claim the devices don’t stow confidential information, Harit accessed confidential information by using the devices and see patient names, clinical information, addresses, phone numbers, and even medical files.

Harit could reverse engineer the smartpens as well as see the working system a monitor linked to the device via a sequential boundary. Originally, low-privilege accessibility to the working system of the smartpens was achieved, however by utilizing an exploit the scientist could lift freedoms to get administrator access. When administrative privileges were acquired, and the encryption was overpowered, Harit could access the backend computer networks utilized by the healthcare company and see confidential information on patients of many physicians who utilized the smartpens. The sellers of the smartpens were alerted to the faults and bits have now been issued to rectify the weakness.

Harit also found out a thus far unpatched weakness in an IV infusion pump that might be abused to give out deadly amounts of medicines to patients, possibly on all IV pumps utilized at a specific hospital. Far from a difficult and costly slice, it was possible with an appliance that might be bought for only $7. That device let Harit connect with the pump, go through its structure data, as well as the access socket to which the appliance linked.

It was likely to set up a false access socket to link to the device as well as gather confidential information on the patient, containing the master medicine list and amounts of medicines to be given out. Harit asserts it will be probable to write a malevolent program that might attack all of IV infusion pumps utilized by a hospice.

Luckily, for the weaknesses to be abused, physical access to the appliances will be needed.

Harit won’t reveal the identities of the organizations or devices impacted but will offer the outcomes on the weaknesses at Black Hat Europe this week.