Security flaw: “Smart” drug syringes found to be hackable

As if the safety and efficacy of some vaccines weren’t already in question, now technology is making syringes less safe as well.

“Smart” syringes, anyway.

As reported by the U.K.’s Daily Mail, smart syringes, which are wireless-controlled devices used to administer medications through IVs, are now subject to hacking and, thus, have become a danger to patients.

The U.S. Department of Homeland Security says it has found a vulnerability in an automatic syringe infusion pump that doctors, nurses, and medical staff utilize to administer medications and anesthesia in the hospital setting.

In an advisory, the department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said the there was a security flaw in one device called the Medfusion 4000 that would give hackers control over it, meaning they could ‘instruct’ the syringe to either withhold or speed up the delivery of medication. Either of those scenarios could lead to death.

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump,” notes the warning. “Despite the segmented region, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

Scott Gayou, a cyber security researcher, discovered at least eight vulnerabilities in the syringe, which is made by Smiths Medical. The company has said it plans to fix the flaws and will release a new version of its product next year. However, until then, DHS is warning hospitals to be on the lookout for any cyber tampering. (Related: Apple hopes to use ‘big brother’ software to change medicine.)

“An attacker with high skill would be able to exploit these vulnerabilities,” said the DHS warning. “Successful exploitation of these vulnerabilities may allow a remote attacker to spoof or disrupt Transmission Control Protocol (TCP) connections, sniff sensitive account information, and gain unauthorized access to a current web session.”

Cyber security researchers say that six of the eight vulnerabilities pertain to issues involving authentication, hard-coded credentials, and certificate validation issues, any of which would allow a hacker to gain access to the device. Two others involve third-party elements, one of which would give a hacker “remote code execution” of the machine.

Medfusion 4000 units are in common use for critical care, neonatal, and pediatric patients. In each patient, medical dosing is crucial but that is especially true for newborns because even the slightest error can be fatal.

The devices were developed as replacements for manual dosing, and are said to be a much safer, surer way to deliver medications intravenously.

Smiths Medical, which is a British firm, released a statement outlining the security flaws.

“The possibility of this exploit taking place in a clinical setting is highly unlikely, as it requires a complex and an unlikely series of conditions,” the company’s chief technology officer, Brett Landrum, wrote in a letter addressed to, “Dear Valued Customer. “I sincerely apologize for this inconvenience.”

As the “Internet of Things” spreads quickly to the medical industry, multiple wireless devices are now at risk of being hacked. For instance, the Daily Mail noted further, in August cyber security researchers discovered that more than 465,000 patients who had St. Jude pacemakers were at risk of hacks that could prove fatal, necessitating a risky “software update.”

The implanted devices, which are about the size of a matchbox, run on their own software and are designed to keep a person’s heart beating normally. In addition, they transmit data to monitoring cardiologists and physicians and trigger an alarm when there is a problem.

The maker of St. Jude, Abbott Laboratories, sent letters to thousands of clients warning them of the flaw and that there is nothing they can do on their own to protect their pacemakers from being hacked.

In addition to hacking, ransomware can also be used to potentially cause patient death in hospitals.

J.D. Heyes is a senior writer for and, as well as editor of The National Sentinel.

Sources include:




comments powered by Disqus