An analysis of data crowdsourced from more than 200,000 network-connected infusion pumps used in hospitals and healthcare entities has revealed that 75% of those medical devices contain security weaknesses that could put them at risk of potential exploitation.
"These shortcomings included exposure to one or more of some 40 known cybersecurity vulnerabilities and/or alerts that they had one or more of some 70 other types of known security shortcomings for IoT devices," Unit 42 security researcher Aveek Das said in a report published Wednesday.
Palo Alto Networks' threat intelligence team said it obtained the scans from seven medical device manufacturers. On top of that, 52.11% of all infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019 as part of 11 flaws collectively called "URGENT/11" –
- CVE-2019-12255 (CVSS score: 9.8) – A buffer overflow flaw in the TCP component of Wind River VxWorks
- CVE-2019-12264 (CVSS score: 7.1) – An issue with incorrect access control in the DHCP client component of Wind River VxWorks
Other important flaws impacting infusion pumps are listed below –
- CVE-2016-9355 (CVSS score: 5.3) – An unauthorized user with physical access to an Alaris 8015 Point of Care units may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory
- CVE-2016-8375 (CVSS score: 4.9) – A credential management error in Alaris 8015 Point of Care units that could be exploited to gain unencrypted wireless network authentication credentials and other sensitive technical data
- CVE-2020-25165 (CVSS score: 7.5) – An improper session authentication vulnerability in Alaris 8015 Point of Care units that could be abused to perform a denial-of-service attack on the devices
- CVE-2020-12040 (CVSS score: 9.8) – Cleartext transmission of sensitive information in Sigma Spectrum Infusion System
- CVE-2020-12047 (CVSS score: 9.8) – Use of hard-coded FTP credentials in Baxter Spectrum WBM
- CVE-2020-12045 (CVSS score: 9.8) – Use of hard-coded Telnet credentials in Baxter Spectrum WBM
- CVE-2020-12043 (CVSS score: 9.8) – Baxter Spectrum WBM FTP service remains operational after its expected expiry time until it's rebooted
- CVE-2020-12041 (CVSS score: 9.8) – Baxter Spectrum Wireless Battery Module (WBM) permits data transmission and command-line interfaces over Telnet
Successful exploitation of the aforementioned vulnerabilities could result in leakage of sensitive information pertaining to patients and allow an attacker to gain unauthorized access to the devices, necessitating that health systems are proactively protected against threats.
Last year, McAfee disclosed security vulnerabilities affecting B. Braun's Infusomat Space Large Volume Pump and SpaceStation that could be abused by malicious parties to tamper with medication doses without any prior authentication.
The discovery "highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks," Das said.