Hackers can remotely access Smiths Medical Syringe Infusion Pumps to kill patients, the US-CERT alerted. The 4000 wireless infusion pumps are used in critical care settings and cyber criminals can control them now.
The independent researcher Scott Gayou found the remotely exploitable vulnerability alongside eight vulnerabilities in the Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps.
The disturbing news about the issue though, is that Smiths Medical will fix the flaws in the new release which is scheduled for January, next year.
“Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.” the NCCIC/ICS-CERT advisory states.
“These vulnerabilities could be exploited remotely.”
The following versions of the Medfusion 4000 Wireless Syringe Infusion Pump can be affected by the vulnerabilities:
– Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1;
– Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5;
– Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6.
“Some flaws are high in severity and can be remotely exploited to “gain unauthorized access and impact the intended operation of the pump.”
“Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.” the US-CERT reads.
The CVE-2017-12725 vulnerability is the most severe issue which is related to the presence of hardcoded credentials to automatically establish a wireless connection to a device with a default configuration.
The CVE-2017-12725 vulnerability has been rated with a CVSS score of 9.8.
The list of high-severity vulnerabilities include:
CVE-2017-12718 – BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) – A buffer overflow vulnerability that could be exploited for remote code execution on the affected device.
CVE-2017-12720 – IMPROPER ACCESS CONTROL – The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections.
CVE-2017-12724 – USE OF HARD-CODED CREDENTIALS – The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections.
CVE-2017-12721 – IMPROPER CERTIFICATE VALIDATION – The pump does not validate host certificate, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.
The other vulnerabilities are medium severity flaws that could be exploited by hackers:
to crash the communications and operational modules of the medical device.
to authenticate to telnet using hard-coded credentials.
to obtain passwords from configuration files.
The ICS-CERT provided recommendations to healthcare organizations are to protect the devices, including:
disconnecting the pump from the network until the product fix can be applied;
disable the FTP server on the pump.
assigning static IP addresses to pumps;
close unused ports:
consider the use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
monitoring network activity for malicious servers:
use strong passwords;
monitor and log all network traffic attempting to reach the affected products
regularly creating backups.