September 28, 2022
Vulnerabilities in certain medication infusion pump products from manufacturer Baxter could compromise a hospital's biomedical network. The flaws are prime examples of the risks to the entire healthcare industry posed by medical devices, says Deral Heiland, a researcher at security firm Rapid7, who recently identified the issues. The five vulnerabilities Heiland identified in certain Baxter…

Vulnerabilities in certain medication infusion pump products from manufacturer Baxter could compromise a hospital’s biomedical network.

The flaws are prime examples of the risks to the entire healthcare industry posed by medical devices, says Deral Heiland, a researcher at security firm Rapid7, who recently identified the issues.

The five vulnerabilities Heiland identified in certain Baxter Sigma Spectrum Infusion Pumps and Sigma Wi-Fi Battery Modules “make it possible for a hacker to get into the biomed network,” he says.

The vulnerabilities include network credentials stored on the affected infusion pumps’ removable Wi-Fi card and network-connected batteries.

If exploited, threat actors could physically swap out the pump’s battery and use one of their own batteries to store network credential information, he says.

Batteries sold on the secondary market “are not terribly expensive,” according to Heiland. Threat actors “could literally walk away with the credentials to gain access to the Wi-Fi network,” he says in an interview with Information Security Media Group.

The flaws also highlight the overall risks involving the acquisition and disposal of medical technology, he says.

In the case of the Baxter devices, if a hospital replaces its infusion pumps and sells the affected equipment and its batteries, “basically they’re selling, trading or transferring credentials from their device,” he says.

The odds of any given hospital changing the credentials of its biomed network are low, he says.

“In the medical community as a whole, the de-acquisition of medical technology is a risk we all need to be thinking about.”

The Baxter product vulnerabilities that Heiland identified also involve missing encryption of sensitive data, use of externally controlled format string, and missing authentication for critical function.

Advisories Issued

The flaws are the subject of an advisory issued Thursday by the Cybersecurity Infrastructure and Security Agency, as well as a security bulletin released by Baxter.

Baxter is offering software updates and newer-model batteries to address the issues and also recommends that healthcare entities take other steps to mitigate the risks. Those steps include placing the affected products behind a hospital’s network firewall and isolating them on a segregated network away from other systems.

In the interview (see audio link below photo), Heiland also discusses:

  • Details of the five vulnerabilities he identified in the Baxter products;
  • How the various flaws could be exploited for denial-of-service and man-in-the-middle attacks;
  • Other critical measures healthcare entities and manufacturers should consider to better safeguard medical devices.

Heiland serves as principal security researcher for internet of things devices at security firm Rapid7. He has more than 25 years of experience in the IT field, including more than 15 years focused on security research, security assessments, penetration testing and consulting for corporations and government agencies. Heiland has conducted security research on numerous technical subjects, releasing white papers and security advisories.

Source