Medical infusion pumps contain critical bugs: at least 75% vulnerable

Reports say that close to 100 000 analyzed infusion pumps have security gaps

Research: pumps can be vulnerable due to six critical bugs

Data collected from more than 200 000 network-connected medical infusion pumps got collected and analysis showed that 75% of them are running with particular security vulnerabilities to this day.^[1] Pumps are used to deliver medication and fluids to patients and can be exploited by the attackers of any of the bugs get used to their advantage. These devices are vulnerable to six bugs that have a critical severity rate ranging up to 9.8.^[2] Flaws have been reported in 2019 and 2020, but exploitation is still possible.

These old and persistent security issues are pretty prevalent and are related to different functionalities. The security state of those 200 000 infusion pups got analyzed, and the numbers got discovered. 30 000 – 100 000 of those pumps are vulnerable to these issues still.^[3] Criminals can perform denial-of-service attacks on targeted devices, obtain data, and read-and-write access to the memory of devices.

These flaws include the CVE-2019-12255 – memory corruption bug in the VxWorks real-time operating system that is used for embedded devices on the infusion pump systems. This flaw is present in 52% of the analyzed pumps – 104 000 devices. It belongs to a suite of 11 vulnerabilities discovered in 2019. The developers, Wind River addressed the issue and released patches, but delays in the application of upgrades are common for embedded devices.^[4]

Five vulnerabilities from American health care company

These vulnerable devices can be affected after the exploit of one of the six flaws. The rest of them are critical severity bugs affecting products from American health care company Baxter International. The discovery of these got reported back in June 202. All of them have a 9.8 score of severity.

The exploitation of these flaws is possible when the actor is already on the targeted network, and this is pretty common. Bugs are related to the transmission of data without authentication, hardcoded credentials, and incorrect permissions that allow access to particularly sensitive information or alter the network settings of the Wireless Battery Module.

These flaws, unfortunately, do not have any patches, but some mitigations are provided by the developer. It is possible to lower the risk of exploitation by switching to the newer Spectrum IQ Infusion System. This system is not affected by these bugs.

Low-skilled attackers can exploit critical security flaws

At the time of Baxter's flaw discovery, CISA released the advisory stating about possible issues and exploitation of these flaws.^[5] It is possible to take advantage of the vulnerabilities and create issues with the system and users' or patients' information.

This could allow an attacker that has circumvented network security measures to view sensitive non-private data or to perform a man-in-the-middle attack.

The recent Palo Alto Network research notes that healthcare providers should adopt proactive security strategies and keep their devices safe from unauthenticated attacker access and threat attacks. It can be achieved with an accurate inventory of all systems on the network.

These flaws are posing a general risk to the security of the healthcare organizations and, more important – patients. These flaws are not affecting any of the analyzed infusion pumps currently, no cyber threat attacks or remote access got discovered, but the risk should be mitigated.