Researchers Found Easy to Exploit Vulnerabilities in Drug Infusion Pumps

McAfee Advanced Threat Research (ATR) Researchers, along with the medical device cybersecurity company Culinda, have found 5 earlier unreported vulnerabilities in two popular B. Braun drug infusion pumps models.

The devices are employed internationally in hospitals for treating adult and pediatric patients and systemize the distribution of medicines and nutrients to patients. They are particularly helpful for making sure of a controlled supply of crucial medicine doses.

An unauthenticated attacker could exploit the vulnerabilities in the B. Braun infusion pumps to alter the settings of the infusion pumps as they are in a standby setting, which can bring about an unexpected dose of medicines being provided when the device is utilized, possibly causing hurt to a patient.

McAfee notified B.Braun about the vulnerabilities in the B. Braun SpaceStation and the B. Braun Infusomat Space Large Volume Pump on January 11, 2021, and advised safety measures that ought to be put in place to avoid the exploitation of the vulnerabilities. In May 2021, B.Braun released data for clients and informed the Health Information Sharing & Analysis Center (H-ISAC) concerning the vulnerabilities and proposed mitigations. The vulnerabilities impact infusion pumps operating older B.Braun software versions; nevertheless, the researchers revealed that “vulnerable versions of software program remain extensively used throughout medical facilities and stay in danger of exploitation.

Safety measures were integrated into the infusion pumps to keep attackers from altering dosages as the pumps are functional, therefore an attacker cannot alter dosages while they are being given. The vulnerabilities can nevertheless be taken advantage of as the pumps are on standby or idle, so modifications may be made to the device function in between infusions.

There were no documented incidents of the vulnerabilities in these or other drug infusion pumps being taken advantage of in the wild, however, this is a credible attack case and one that can very easily be taken advantage of to bring about harm to patients. The most recent B.Braun software version obstructs the preliminary network vector of the attack chain, however, the vulnerabilities were not completely addressed. An attacker can find one more way to obtain access to the system to which the devices link and take advantage of the vulnerabilities. Considering the number of ransomware attacks reported in the last few months, getting access to healthcare systems is not showing to be a big problem for lots of threat actors.

Until a detailed suite of patches is made and efficiently followed by B. Braun clients, medical facilities ought to actively give these threats particular focus, and stick to the mitigations and compensating controls offered by B. Braun Medical Inc. in their synchronized vulnerability disclosure records.

The researchers think that a lot of other medical devices may have vulnerabilities that can be taken advantage of to cause problems to patients. Medical devices are created to make sure of patient safety, and safety measures are enforced to make sure patient safety is not put in danger; nevertheless, it is typical for cybersecurity protections to be provided less concern in the course of the design phase. Additionally, when security vulnerabilities are identified in medical devices, patching is expensive. The devices are closely controlled, therefore it isn’t just a case of issuing a patch or instantly upgrading the devices as would happen with a web browser for example. Patches should be completely examined, the devices should be shut down as updates are implemented, and the patches and updates must be completely tested. A lot of devices still continue to utilize older versions of software programs and firmware.

For the moment, ransomware attacks are a bigger problem in the medical field, however at some point, these sites will be secured against this type of ransomware attack and malicious threat actors will try to find other lower-hanging fruits, mentioned the researchers. Considering the lifetime of medical devices and the issues associated with their upgrades, it is essential to begin planning today for tomorrow’s dangers. Hopefully, this research can help provide consciousness to this area that has been ignored for a long time.