ICS Summary for Week of September 14, 2017

Syringe Infusion Pumps Vulnerable to Remote Attacks

ICS-CERT has published an advisory detailing eight vulnerabilities found in Medfusion 4000 Wireless Syringe Infusion Pump manufactured by US-based device maker Smiths Medical.  These systems are meant to deliver accurate small doses of medication to patients in critical care situations, such as intensive care or in the operating room.  They are widely used worldwide in the Healthcare and Public Health sector.  The specific infusion pump versions affected were:

• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1
• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5
• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6

ICS-CERT warned that “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”  These exploits could give a malicious actor the potential cause great harm to patients on the infusion pumps.  Fortunately, a high skill is necessary in order use these exploits and there are currently no public exploits that target the vulnerabilities.

Vulnerabilities

The most critical of the vulnerabilities was a use of hard-coded credentials (CVE-2017-12725) and given a CVSS score of 9.8.  If the default network configurations are not changed, the pump establishes a wireless network connection even if actively connected to Ethernet through the use of hard-coded usernames and passwords.  There are four other high-risk vulnerabilities found in the devices.  

• Buffer copy without checking size of input (‘Classic Buffer Overflow’) – Input buffer size was not verified prior to copying which lead to buffer overflow and allowing remote code to be executed on the device.
• Improper Access Control – The pump has an FTP server and, if it allows FTP connections, does not require authentication for access.
• User of Hard-Coded Credentials – If the FTP server is allowing connections, a malicious actor could gain access using hardcoded credentials.  
• Improper Certificate Validation – There is no validation on the host certificate which leaves the pump vulnerable to man-in-the-middle (MitM) attacks.

Smiths Medical is planning to address these vulnerabilities in their upcoming release in January, 2018.  For now, they gave some recommendations for users to help in mitigation:

• Assign static IP addresses to the devices
• Monitor network activity for rogue DNS and DHCP servers
• Make sure the segment of the network the pumps are on are segmented from other IT infrastructure
• Consider use of network virtual local area networks (VLANs) for segmentation
• Use proper password hygiene standards
• Do not allow password re-use
• Routinely make backups and perform evaluations

Sources: ICSMA-17-50-02 (ICS-CERT), Syringe infusion pumps can be fiddled with by remote attackers (HelpNetSec), Hacks Can Remotely Access Syringe Infusion Pumps to Deliver Fatal Overdoses (The Hacker News)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu