Search the Community
Showing results for tags 'drug'.
Found 2 results
WHEN SECURITY RESEARCHER Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn’t issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself. Now Rios says he’s found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. “This is the first time we know we can change the dosage,” Rios told WIRED. The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira—an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world. The vulnerable models include the company’s standard PCA LifeCare pumps; its PCA3 LifeCare and PCA5 LifeCare pumps; its Symbiq line of pumps, which Hospira stopped selling in 2013 due to concerns raised by the FDA over other quality and safety issues with the pumps; and its Plum A+ model of pumps. Hospira has at least 325,000 of the latter model alone installed in hospitals worldwide. These are the systems that Rios knows are vulnerable because he’s tested them. But he suspects that the company’s Plum A+3 and its Sapphire and SapphirePlus models are equally vulnerable too. Hospira did not respond to a request for comment. Earlier this year, Rios went public with information about a different security issue with Hospira’s LifeCare pumps. This one involved drug libraries used with the pumps, which help set upper and lower boundaries for dosages of intravenous drugs a pump can safely administer. Because the libraries don’t require authentication, Rios found that anyone on the hospital’s network—including patients in the hospital or a hacker accessing the pumps over the Internet—can load a new drug library that alters the limits for a drug. At the time he publicly disclosed the library vulnerability, Rios told WIRED that he had not yet found any vulnerabilities that would allow him to actually alter a drug dosage, though he was working on it. But he now acknowledges that he had found these more serious vulnerabilities in the LifeCare pumps at the time and had in fact reported them to Hospira and the FDA last year. At the time he hadn’t yet tested a Plum A+ pump, however. The new vulnerabilities would allow attackers to remotely alter the firmware on the pumps, giving them complete control of the devices and the ability to alter dosages delivered to patients. And because the pumps are also vulnerable to the previous library vulnerability he disclosed, an attacker would be able to first raise the dosage above the maximum limit before delivering a potentially deadly dosage without the pump issuing an alert. How the Firmware Security Flaw Works The problem lies with a communication module in the LifeCare and Plum A+ pumps. Hospitals use the communication modules to update the libraries on the pumps. But the communication modules are connected via a serial cable to a circuit board in the pumps, which contains the firmware. Hospira uses this serial connection to remotely access the firmware and update it. But hackers can use it for the same purpose. The serial connection would be less of a concern if Hospira’s pumps accepted only legitimate firmware updates that were authenticated and digitally signed. But Rios says they’ll accept any update, which means anyone can alter the software on the pumps. “And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios says. A hacker could not only change the dosage of drugs delivered to a patient but also alter the pump’s display screen to indicate a safe dosage was being delivered. The compromise of the communication module and serial cable doesn’t automatically mean a compromise of the pump. An attacker needs to know how to perform a firmware update. But Rios says it didn’t take him long to figure it out. Hospira Denied Problem With Pumps Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company “didn’t believe it could be done.” Hospira insisted there was “separation” between the communications module and the circuit board that would make this impossible. Rios says technically there is physical separation between the two. But the serial cable provides a bridge to jump from one to the other. “From an architecture standpoint, it looks like these two modules are separated,” he says. “But when you open the device up, you can see they’re actually connected with a serial cable, and they’re connected in a way that you can actually change the core software on the pump.” An attacker wouldn’t need physical access to the pump. The communication modules are connected to hospital networks, which are in turn connected to the Internet. “You can talk to that communication module over the network or over a wireless network,” Rios warns. Hospira knows this, he says, because this is how it delivers firmware updates to its pumps. Yet despite this, he says, the company insists that “the separation makes it so you can’t hurt someone. So we’re going to develop a proof-of-concept that proves that’s not true.” He plans to demonstrate a proof-of-concept attack next month at the SummerCon security conference in Brooklyn, New York. Rios says when he warned Hospira a year ago about the firmware problem in its LifeCare pumps, he advised the company to perform what’s called a variant analysis to determine if its other models of pumps were affected as well, but the company refused, saying the problem was confined to the LifeCare line. To prove Hospira wrong, Rios purchased and tested one of the company’s Plum A+ drug pumps and found that it had the same firmware issue. Last month, the FDA issued an alert about the firmware issue, but only in reference to Hospira’s LifeCare PCA3 and PCA5 pumps. The alert didn’t mention the other models, which could lead hospitals to believe they don’t have a security risk. Rios contacted the FDA last week to tell the agency that the vulnerability extended to Hospira’s Plum A+ line as well, but he says the federal agency asked him to withhold the finding from the public until Hospira had time to verify the issue. But Rios declined, saying Hospira had already had a year to test the Plum A+ pumps and determine if the problem extended to them, but had declined to do so. He said hospitals needed to know now that the pumps are putting patients at risk. The FDA did not respond to a request for comment. Rios is planning to obtain models from Hospira’s Sapphire line of pumps as well to prove that they’re equally vulnerable to the issue. Source
WHEN ROSS ULBRICHT was sentenced to life in prison without parole last Friday, the judge in his case made clear that her severe punishment wasn’t only about Ulbricht’s personal actions in creating the Silk Road’s billion-dollar drug market. As Judge Katherine Forrest told the packed courtroom, she was also sending a message to any would-be online drug kingpins who might follow in his footsteps. “For those considering stepping into your shoes,” she said, “they need to understand without equivocation that there will be severe consequences.” But despite Ulbricht’s ultimate punishment, the lesson for anyone closely watching the Dark Web drug trade has hardly been one of inevitable consequences. As independent researcher Gwern Branwen has documented in an ongoing survey of more than 70 Dark Web drug markets created after Ulbricht founded the Silk Road, only five of those sites’ administrators have been arrested. For many of the others, the security model Ulbricht pioneered—using Tor and bitcoin to protect administrators, buyers and sellers—has successfully kept law enforcement fumbling in the shadows. In fact, the difficulty of laying hands on Dark Web drug market creators was one reason Ulbricht’s prosecutors asked for a lengthy sentence. If law enforcement can’t apprehend all Ulbricht imitators, went prosecutors’ argument, it had better compensate with harsher punishment for those it does catch. “Although the Government has achieved some successes in combating these successor dark markets, they continue to pose investigative challenges for law enforcement,” read the prosecution’s letter. “To the extent that would-be imitators may view the risk of being caught to be low, many are still likely to be deterred if the stakes are sufficiently high.” When Ross Ulbricht begins his life sentence at a federal prison in the coming weeks, in other words, he won’t just be serving his own time. He’ll also be serving the time of all the Dark Web drug lords who escaped his fate. Here are five of those online narco-kingpins who—for now—remain at large. Variety Jones Despite Ulbricht’s arrest and the rounding up of four of his Silk Road lieutenants, the second most important figure in that black market operation still hasn’t been captured or even publicly identified. Variety Jones served as Ulbricht’s security consultant, advisor, and even mentor, according to Ulbricht’s journal and chat logs the prosecutors admitted into evidence at trial. The anonymous figure, who sold cannabis seeds on the site, also secretly advised Ulbricht on everything from tracking sales statistics to creating a personal cover story. It was Jones who named him the Dread Pirate Roberts to give the impression of a rotating command rather than a single individual. And Jones also nudged the Dread Pirate Roberts toward violence, suggesting in a private chat that they murder an employee believed to have stolen hundreds of thousands of dollars in bitcoin from the site. Atlantis During the Silk Road’s time online, its most aggressive competition came from a site called Atlantis, a Dark Web market with a similar business model, but with the addition of an advertising budget. Atlantis went so far as to post a public YouTube video ad and to host an “ask-me-anything” session on Reddit with the site’s unnamed founder and its CEO. In an encrypted interview, those leaders would later describe their site to me as the “Facebook to [silk Road’s] Myspace.” Just before the FBI bust of the Silk Road in the summer of 2013, however, Atlantis’ founders shuttered their site and absconded with all their users’ bitcoins. Ross Ulbricht would write in his journal that the Atlantis admins had privately warned him of a purported security flaw in Tor that inspired them to abandon ship. The Atlantis creators never resurfaced—neither online nor in the hands of law enforcement. Dread Pirate Roberts 2 Just one month after the original Silk Road was seized, Silk Road 2 came online. At its helm, of course, was a new Dread Pirate Roberts; Ulbricht’s cover story of a rotating command had become a self-fulfilling prophesy. The second DPR was at least as talkative as the first, posting political statements to the Silk Road 2 forums and even creating a twitter account. But after three Silk Road 2 administrators were arrested—all of whom had worked for the original Dread Pirate Roberts on Silk Road 1.0—the new Dread Pirate Roberts gave up control of the site to a new administrator named Defcon. Defcon would be identified as 26-year-old Blake Benthal and arrested as part of Operation Onymous, a mass purge of Dark Web sites by the FBI and Europol late last year that took down dozens of Tor hidden services. But the second Dread Pirate Roberts seemed to escape that international dragnet. Verto For a year starting in March of 2014, Evolution was the new and improved mecca of the Dark Web’s underground economy. At its peak, Evolution had more than twice as many product listings as the Silk Road ever offered, including types of contraband Ulbricht never allowed on the Silk Road such as stolen financial information. And it somehow ran faster and stayed online far more reliably than its competitors. That criminal professionalism was in part the work of an experienced cybercriminal called Verto, Evolution’s pseudonymous founder and the founder of the earlier Dark Web black market known as Tor Carder Forum, devoted to identity theft. Then in March of this year, Verto and Evolution co-founder Kimble abruptly shut down the site, taking with them millions of dollars of their users’ bitcoins. A Department of Homeland Security investigation continues to search for the two Evolution administrators, revealed a subpoena sent to the “darknetmarkets” forum of Reddit seeking to identify Evolution staffers. But no arrests have been announced. Darkside For any Dark Web drug lord trying to avoid being the next Ross Ulbricht, step one is not to be in the United States. That’s a lesson from Darkside, the creator of RAMP, the Russian Anonymous Marketplace. RAMP has survived three years online—longer than any other Dark Web drug market—by focusing exclusively on Russian clientele. “We never mess with the CIA, we work only for Russians and this keeps us safe,” Darkside told WIRED in December of last year. “You can’t rape the whole world and remain safe.” Darkside, who uses an illustration of Edward Norton as his online avatar, said at the time of that interview that RAMP was continuing to earn him close to $250,000 a year in revenue, far less than the Silk Road but enough for Darkside to consider himself a “rich guy” in his local currency. And he offered another tip to avoid the kind of law enforcement crackdown that targeted the Dread Pirate Roberts: don’t talk politics. In fact, all political discussion is banned on RAMP. “Politics always attract extra attention,” Darkside wrote. “We do not want that.” Source