Alert Over Bugs in Medfusion Syringe Pumps

The US Department of Homeland Security (DHS) has warned of eight new vulnerabilities in several popular syringe infusion pump models which could allow a remote hacker to alter how they work.

An ICS-CERT advisory late last week revealed eight new flaws in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump; versions 1.1, 1.5 and 1.6.

These smart devices are designed to deliver medication in acute care settings worldwide, according to the advisory.

It had the following:

“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”

The vulnerabilities in question have not yet been exploited in the wild, and the ICS-CERT admitted that it would require “an attacker with high skill” to do so.

The eight bugs include some commonly found vulnerabilities such as: use of hard-coded credentials; passwords stored in the configuration file; improper access control; improper certificate validation; and buffer overflow.

The UK-headquartered manufacturer is not going to patch these bugs until January, so in the meantime the DHS has released a set of mitigations for customers.

These include monitoring network activity for rogue DNS/DHCP servers; assigning a static IP address to the pump; network micro-segmentation; proper password management; and routine back-ups and testing.

Internet-connected medical devices are increasingly being targeted by hackers, with over a third (36%) of respondents to a recent Deloitte study claiming to have been hit by a cyber-attack over the past 12 months.

Notably, the infamous WannaCry ransomware worm infected many IoT medical devices in the US when it struck back in May.

Malcolm Murphy, technology director for Western Europe at Infoblox, argued that manufacturers of such devices need to start prioritizing security.

“However, a further difficulty arises because of the life-cycle of medical devices. Often, the device life is not going to be in sync with the rapid rate at which the IT industry discovers vulnerabilities and issues patches,” he added.

“In order to combat the potential dangers, IT managers must ensure that they can monitor the network activity of connected medical devices so that they can spot unusual and potentially malicious activity. Without it, not only can these devices be hijacked by hackers as an entry point into the network and the wealth of sensitive patient data, but, as seen in this case, also put the physical safety of patients at risk.”

What’s Hot on Infosecurity Magazine?