Security vulnerabilities found in infusion pumps used to treat patients

SECURITY

The idea that medical devices can be hacked for nefarious purposes may sound like something out of movies, but as more and more devices provide connectivity, the risk is exponentially growing.

In a newly published report, researchers at Rapid7 Inc. have detailed vulnerabilities in two TCP/IP enabled medical devices produced by Baxter Healthcare Inc., a company that focuses on products that treat kidney disease and other chronic and acute medical conditions.

The vulnerabilities were found in the SIGMA Spectrum Infusion Pump and the SIGMA Wi-Fi Battery. Baxter’s SIGMA Spectrum products are a commonly used brand of infusion pumps used in hospitals to deliver medication and nutrition directly to a patient. The devices are TCP/IP enabled to provide data to healthcare providers to enable more effective, coordinated care.

Various vulnerabilities were found in both devices. The Wi-Fi battery works in conjunction with the pump, and Wi-Fi credentials are transferred to the battery when the pump is powered up. The use of the battery opens the first vulnerability where an attacker could install a Wi-Fi battery unit, power-cycle the infusion pump, and then remove the battery, which now has critical Wi-Fi data that can be reverse-engineered.

Another vulnerability in the Wi-Fi battery, dubbed “Hostmessage,” allows an attacker to obtain data from the battery through a telnet session. A “format string vulnerability” in the Wi-Fi battery’s software can also be triggered to obtain information from the battery.

There’s even more. The Wi-Fi battery also allowed for unauthenticated remote changing of the SIGMA GW IP address, a setting used for configuring the back-end communication services for the device’s operation.

With the SIGMA Spectrum Infusion Pump, vulnerabilities include the ability for a malicious actor with physical access to place a communication shim between the pump and battery to capture data during the power-up cycle of the unit.

Rapid7 followed standard security disclosure procedures after discovering the vulnerabilities in April, though Baxter was slow in responding. After informing the company of the issues on April 20, the Rapid7 researchers requested an update from Baxter on May 11. Rapid7 then presented its findings to Baxter via teleconference on June 1. A final review of the findings and mitigations for the vulnerabilities were finalized on Aug. 31.

Photo: Baxter Healthcare