Four vulnerabilities discovered in popular infusion pumps, WiFi batteries

Multiple vulnerabilities have been found in two medical devices produced by billion-dollar healthcare company Baxter International, according to security company Rapid7. 

The issues affect Baxter’s Sigma Spectrum Infusion Pump and the Sigma WiFi battery. According to Rapid7, the infusion pumps are used widely across hospitals in the U.S. and other countries to deliver medication to patients. 

Rapid7 principal Internet of Things researcher Deral Heiland discovered the issues earlier this year and reported them to Baxter on April 20 before working with the company to resolve them. 

The four bugs revolve around the secure decommissioning of Wireless Battery Modules (WBMs). Medical devices typically contain network credentials or other private information that should be removed before a device is transferred to a new user.

Heiland told The Record that the vulnerabilities offer attackers information about the network but none of them can be exploited over the internet or at great distances. Hackers would need to be within at least WiFi range of the affected devices, and in some cases, the attacker would need to have direct, physical access.

“So, while these issues don’t rate as critically high severity, Baxter nonetheless took these findings seriously and worked out mitigations appropriately, putting patient health first,” he said.

“The biggest risk, in my opinion, is that the WiFi/battery unit stores the WiFi credentials (WPA PSK) from the last infusion pump unit it was connected to."

He added that the the pump's factory reset feature does not purge the credential data from the WiFi/battery. Were the batteries sold on a secondary market, somebody could extract the data from them.  

Heiland said he confirmed this by purchasing several of the units off eBay and successfully pulling what appears to be valid WPA PSK and SSID data, which could be traced back to a specific medical organization. 

He noted that if an attacker could get network access to a pump unit, they could – with a single unauthenticated packet – cause the unit to redirect all backend system communications to a host they control, allowing for a potential “man-in-the-middle" attack.

A man in the middle attack is when hackers put themselves in between a conversation between users and an application they are using, allowing them to eavesdrop or impersonate one side.

“This could impact accuracy of the pump data being sent for monitoring and recording purposes, and also potentially be used to intercept drug library data updates to the pumps — which could potentially be dangerous. If drug library data is altered this... would cause the pump not to alert the operator if a dangerous setting was made or could prevent the pump from accepting a valid setting, leading to mistakes being made on drug settings,” he said. 

“I have personally lost count of the number of times I have been left alone within close proximity of infusion pumps.”

In a statement to The Record, Baxter said it has not identified any exploitation of the vulnerabilities and said software updates for CVE-2022-26392 and CVE-2022-26393 are in the process of being created. 

Authentication is already available for CVE-2022-26394, and the company has published instructions for CVE-2022-26390 and is notifying its customers of several immediate actions they can take “to help strengthen the security of their infusion pumps and networks, including instructions for clearing their Spectrum infusion pumps and WBMs of data before they are decommissioned to help ensure private information is removed.”

Baxter added that it is in regular contact with Rapid7, the Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency about the bugs. 

“Baxter takes product security and patient safety seriously and remains vigilant in working to protect its devices from rapidly changing cybersecurity threats and vulnerabilities,” a spokesperson said. 

“We have determined that these vulnerabilities are controlled, meaning they are unlikely to impact patients. We are continuing to collaborate with Rapid7 to understand these vulnerabilities and help our customers alleviate them.”

Baxter said it will release a software update for the Spectrum pump platforms and Wireless Battery Modules in October 2022 that they believe will further mitigate some of the vulnerabilities.

CISA released its own advisory about the issues, the second this week related to medical devices. 

In March, Palo Alto Networks security researchers discovered that more than 100,000 infusion pumps were susceptible to two known vulnerabilities that were disclosed in 2019.

Infusion pumps have long been a source of ire for cybersecurity experts and vendors who have spent more than a decade trying to improve their security. Palo Alto noted that the Food and Drug Administration announced seven recalls for infusion pumps or their components in 2021 and nine more recalls in 2020.

Last year, German healthcare giant B. Braun updated several faulty IV pumps after McAfee discovered vulnerabilities allowing attackers to change doses.

While Heiland and Rapid7 lauded Baxter for its proactive efforts to address the issue, the researcher said medical organizations need to focus on the proper processes and procedures for device de-acquisition.

“Biomedical networks should always be segmented from all other networks, such as general user and/or business networks, to prevent exposing MedTech to potential points of attack,” he said.

“Physical security is also a must. In the healthcare environment, physical security protocols should be developed and maintained to prevent unauthorized access to all MedTech equipment.”