Rapid7 has discovered vulnerabilities in two TCP/IP-enabled medical devices produced by Baxter Healthcare. The affected products are:
- SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01)
- SIGMA Wi-Fi Battery (Firmware Versions 16, 17, 20 D29)
The disclosure report discusses several vulnerabilities involving the Baxter SIGMA infusion pumps, used by medical professionals in clinical environments and hospitals to dispense medication to patients.
Rapid7 has been working with Baxter to analyse and mitigate these issues, and Baxter has proven to be an excellent partner and champion of transparency in this kind of IoT security research.
The disclosed vulnerabilities were discovered by Deral Heiland, Principal IoT Researcher at Rapid7.
Rapid7 initially reported the issues to Baxter on April 20, 2022.
Since the initial notification, members of Rapid7’s research team and Baxter have worked alongside each other to discuss the impact, resolution, and a coordinated response for all discovered vulnerabilities.
Coordinated disclosure will take place on September 8, 2022, in accordance with the Rapid7 Vulnerability Disclosure Policy.
Statement by Baxter
“In support of our mission to save and sustain lives, Baxter takes product security seriously. We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process.
Software updates to disable Telnet and FTP (CVE-2022-26392 and CVE-2022-26393) are in process.
Authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to cleanse WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) have been updated and made available in the Baxter Security Bulletin.”
Statement by Rapid7
“Baxter is an exemplary medical technology company with an obvious commitment to patient and hospital safety. While medtech vulnerabilities can be tricky and expensive to work through, we’re quite pleased with the responsiveness, transparency, and genuine interest shown by Baxter’s product security teams.”
Additional Commentary by Deral Heiland
“Note that, in all cases, these issues could not have been exploited over the internet or otherwise at great distance; an attacker would need to be within at least WiFi range of the affected devices, and in some cases, the attacker would need to have direct, physical access. So, while these issues don’t rate as critically high severity, Baxter nonetheless took these findings seriously and worked out mitigations appropriately, putting patient health first.”
On attack scenarios:
“The biggest risk, in my opinion, is that the WiFi/battery unit stores the WiFi credentials (WPA PSK) from the last infusion pump unit it was connected to. The pump’s factory reset feature (this is being fixed by Baxter) does not purge the cred data from the WiFi/battery. So, if the WiFi/batteries are sold on secondary market during de-acquisition (e.g., eBay, secondary medical supply businesses, etc.) then anyone purchasing those units could extract the data. I validated this by purchasing several WiFi/battery units off eBay and successfully pulling what appears to be valid WPA PSK and SSID data from the units that could be traced back to a specific medical organization.”
“If an attacker could get network access to a pump unit, they could with a single unauthenticated packet cause the unit to redirect all backend system communications to a host they control, allowing for a potential Man in the Middle attack. This could impact accuracy of the pump data being sent for monitoring and recording purposes, and also potentially be used to intercept Drug library data updates to the pumps — which could potentially be dangerous. (If drug library data is altered this would not immediately lead to incorrect drugs being administered but would cause the pump not to alert the operator if a dangerous setting was made or could prevent the pump from accepting a valid setting leading to mistakes being made on drug settings.)”
“Physical attack scenarios can be carried out via a malicious insider, but they do not have to be. I have personally lost count of the number of times I have been left alone within close proximity of infusion pumps. Also, how often do you think a medical organization such as a hospital actually stops and challenges people?”
Key Takeaways
- Medical organizations must focus on the proper processes and procedures for device de-acquisition.
Please see the full report for recommended steps with regard to this vulnerability disclosure. A Rapid7 research paper on this topic is also forthcoming (October/November publication).
- As in any technology environment, network segmentation is critically important. Biomedical networks should always be segmented from all other networks, such as general user and/or business networks, to prevent exposing MedTech to potential points of attack.
- Physical security is also a must.
