Posted on March 9, 2022 at 7:43 AM
Security researchers at Palo Alto Networks have discovered that more than 100,000 infusion pumps are vulnerable to cyber-attacks. The research team came up with this after examining over 200,000 infusion pumps on the networks of several healthcare organizations. The researchers noted that the
The researchers noted that the infusion pumps are susceptible to two known vulnerabilities that were disclosed in 2019. One flaw has a “high” severity score while the other has a “critical” severity score.
The Vulnerabilities Have High-Severity Ratings
The findings show that tens of thousands of devices are susceptible to at least six critical bugs with a rating of 9.8 out of 10.
The most persistent critical-severity flaw discovered is a memory corruption vulnerability in the VxWorks real-time operating system (RTOS) named CVE-2019-12255. It is used for embedded devices such as infusion pump systems.
CVE-2019-12255 is among a group of known bugs known as ‘URGENT/11‘, which were discovered and analyzed by researchers at Armis in 2019. Although the company that maintains VxWorks RTOS, Wind River, addressed the vulnerabilities the same year, there were major delays in applying updates. As a result, they have become a problem for the continuous safety of the devices. the other critical-severity flaws affect products from Baxter International, an American health care provider. The vulnerabilities were reported in 2020 and the patches were provided as well. “An alarming 75% of infusion pumps scanned had known security gaps,” the researchers stated, adding that this puts the devices at high risks of being compromised by threat actors.
The risks include more exposure to more than some 40 known flaws, which can even lead to more vulnerability exposures.
Hackers Could Hijack The Pump Infusions
Aveek Das, the researcher that carried out the study, stated that hackers could try to exploit some of the bugs to hijack pump functions, including medication dosing.
He added that the problems the research team discovered are only the “tip of the iceberg”, noting that other connected devices in hospitals could have similar issues as well. The researchers said their concentration on infusion pumps does not mean other devices are less likely to have vulnerabilities. According to Dan, the researchers’ focus on fusion pumps is because they account for 44% of all medical devices and are the most popular type of connected device in healthcare.
There are thousands of connected devices in most large hospital systems as the devices help them to get around easily and speed up when it comes to medical emergencies. With thousands of infusion pumps likely available in large health care organizations, it makes it difficult for security teams to identify which one is safe and which one needs to be replaced.
The researchers pointed out that the most common flaws they observed in infusion systems can be categorized into several categories based on the impact they may have. These include overflow, unauthorized access, and leakage of sensitive information.
Other flaws come from the third-party IP/TCP stacks but can also have a massive impact on the devices and their operating systems, according to the researchers.
Some Of The Bugs Can Be Exploited Easily
The researchers also noted that based on their observation, the vulnerabilities in a large number of infusion pump systems are related to leakage of sensitive information. Devices that are exposed to this type of issue can leak network configuration credentials, patient-specific data, or operational information.
However, threat actors that will exploit the flaws will require different levels of access. For instance, the CVE-2020-12040 bug can be exploited through a man-in-the-middle attack to gain access to all the communication between a server and its infusion pump.
But vulnerabilities like CVE-2016-8375 and CVE-2016-9355 can be exploited by someone that has physical access to an infusion device, which can allow them to have access to sensitive information.
As a result, the attacks through these two bugs are less likely compared to the CVE-2020-12040 vulnerability. However, attackers with the right motivation and technical skills can still succeed in penetrating the devices through any of the bugs.
Apart from these vulnerabilities, others can allow the threat actors to sent traffic to some network traffic in a particular pattern. This can cause the devices to operate in a particular way or cause them to become unresponsive.
The researchers warned that the bugs can result in several bad outcomes such as disruption of patient care and hospital operations. As a result, efforts should be made by users to apply the update from the patches provided by the manufacturers as soon as possible.