image image
Douglas McKee & Philippe Laulheret  at Hardwear Netherlands 2021

Douglas McKee & Philippe Laulheret

McAfee Enterprise

Overmedicated: Breaking the security barrier of a B.Braun Infusion pump

Talk Title:

Overmedicated: Breaking the security barrier of a B.Braun Infusion pump


In the last year criminals and nation-states alike have increased attacks on the health care sector as confirmed by the Verizon 2020 Data Breach Investigation Report which noted a 42% increase in breaches from the previous year. The attacks are largely financially motivated (88% per Verizon) with attackers often deploying ransomware. What would happen if attackers started targeting specific networked medical devices and held more than a computer system at ransom?

The intravenous (IV) infusion therapy market is a clear potential target with an estimated $54 billion in annual revenue, with 2020 sales of IV pumps in the US at $13.5 billion and over 1 billion IV infusions administered globally each year. IV pumps are inherently trusted to be secure and have over time become the mainstay for efficient and accurate infusion delivery of medication.

McAfee's Advanced Threat research team took a deep dive into one of B.Braun’s IV pumps and discovered a chain of vulnerabilities, starting with an unauthenticated and network accessible format string vulnerability, which leads to root access and more. The pump's real-time operating system is isolated from the network and relies instead on a separate communication module running a regular embedded Linux. We leveraged our remote root access on the network module to make modifications to the pump's internal calibration data which leads to potentially fatal overdosing or underdosing medication delivery while maintaining false readings on-screen.

This presentation includes a deep technical analysis of the process used to gain root access and the reversing of the pump’s firmware. We will then combine the two to demonstrate a critical attack scenario. Additionally, healthcare industry experts and frontline medical workers will provide a unique end user perspective.

Speaker Bio:

Douglas McKee is a Principal Engineer and Senior Security Researcher for the Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. Douglas has an extensive background in vulnerability research, penetration testing, reverse engineering, malware analysis, and forensics and throughout his career has provided software exploitation training to many audiences, including law enforcement. Doug is a regular speaker at industry conferences such as DEF CON and his research is regularly featured in publications with broad readership including Wired, Politico, Bleeping Computer, Security Boulevard, Venture Beat, CSO, Politico Morning eHealth, Tech Republic, and Axios.

Philippe Laulheret is a Senior Security Researcher on the McAfee Enterprise's Advanced Threat Research team. With a focus on Reverse Engineering and Vulnerability Research, Philippe uses his background in Embedded Security and Software Engineering to poke at complex system and get them behave in interesting ways. In his spare time, Philippe enjoys playing CTFs, immersing himself in the beauty of the Pacific Northwest, and exploring the realm of Creative Coding. Philippe holds a MSc in Computer Science from Georgia Tech and a MSc in Electrical and Computer Engineering from Supélec (France).