The US-CERT is warning of hackers can remotely access Smiths Medical Syringe Infusion Pumps to control them and kill patients.
IoT devices continue to enlarge our surface of attack, and in some cases, their lack of security can put our lives in danger.
Let’s thinks for example of medical devices that could be hacked by attackers with serious consequences.
Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers because they are vulnerable to hacking, million people in the United States urged to get their pacemakers updated.
In May, researchers from security firm White Scope analyzed seven pacemaker models commercialized by four different manufacturers and discovered that medical devices could be hacked with “commercially available” equipment that goes between $15 to $3,000.
The FDA has recalled 465,000 pacemakers after discovering security vulnerabilities that could be exploited by hackers to reprogram the medical devices to run the batteries down or in a terrifying hacking scenario to modify the patient’s heartbeat.
The good news is that there are no reports of hacked pacemakers yet.
News of the day is that Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled by attackers.
The medical devices are used worldwide for intensive care such as neonatal and pediatric intensive care and the surgery room.
The remotely exploitable vulnerability was discovered by the independent researcher Scott Gayou, the expert has found eight vulnerabilities in the Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps.
The bad news is that Smiths Medical will fix the flaws in the new release that is planning to release in January, 2018.
“Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.” reads the advisory published by the NCCIC/ICS-CERT.
“These vulnerabilities could be exploited remotely.”
The following Medfusion 4000 Wireless Syringe Infusion Pump versions are affected by the vulnerabilities:
- Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1,
- Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5, and
- Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6
Some of the flaws are high in severity and can be remotely exploited to “gain unauthorized access and impact the intended operation of the pump.”
“Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.” continues the US-CERT.
The most severe issue is the CVE-2017-12725 vulnerability, it is related to the presence of hardcoded credentials to automatically establish a wireless connection to a device with a default configuration.
The vulnerability has been rated with a CVSS score of 9.8
The list of high-severity vulnerabilities include:
- CVE-2017-12718 – BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) – A buffer overflow vulnerability that could be exploited for remote code execution on the affected device.
- CVE-2017-12720 – IMPROPER ACCESS CONTROL – The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections.
- CVE-2017-12724 – USE OF HARD-CODED CREDENTIALS – The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections.
- CVE-2017-12721 – IMPROPER CERTIFICATE VALIDATION – The pump does not validate host certificate, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.
The other vulnerabilities are medium severity flaws that could be exploited by hackers:
- to crash the communications and operational modules of the medical device.
- to authenticate to telnet using hard-coded credentials.
- to obtain passwords from configuration files.
The ICS-CERT provided recommendations to healthcare organizations are to protect the devices, including:
- disconnecting the pump from the network until the product fix can be applied;
- disable the FTP server on the pump.
- assigning static IP addresses to pumps;
- close unused ports:
- consider the use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
- monitoring network activity for malicious servers:
- use strong passwords;
- monitor and log all network traffic attempting to reach the affected products
- regularly creating backups;