Infusion Pump Found with Critical Vulnerabilities

A popular infusion pump used by doctors contains critical vulnerabilities. A bug found in the pump allowed malicious actors to alter drug doses of patients.

Infusion pumps are used by hospitals to control the amount of fluids and medications dispensed into patients. These pumps can deliver insulin, painkillers, and other medications over a period of time to patients. The pump is then connected to a workstation used by medical staff to monitor patients.

The infusion pump affected is the Alaris Gateway Workstation (AGW) distributed by the company, Becton Dickinson. This pump is used by at least 50 countries.

Researchers at the healthcare security firm, CyberMDX discovered the two major vulnerabilities in the pump. The first vulnerability has critical rating of 10 out of 10 on the CVSS v.3 severity scale, CVE-2019-10959. The flaw resides in the firmware code of AGW, which can be exploited by attackers. Although, the vulnerability is low on the complexity scale, the damage it can do is high. Attackers can easily create a malicious update of the firmware and upload it to the device without any authentication. Once uploaded, the attackers can gain access to all information, disable the device, and report misinformation to medical staff. Further, threat actors can change the rate medication is dispensed, increase/decrease dosage, and stop the infusion. This can have a critical affect in patient’s health.

Researchers said:

“This exploit can be carried out by anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files”

The second vulnerability has a score of 7.3 out of 10 on the CVSS v.3 severity scale, CVE-2019-10959. This flaw allows attackers to access the workstation through the web browser of the AGW. Once exploited, attackers gain access to the IP address of the workstation, event logs, and configuration.

CyberMDX is recommending that hospitals contact the vendor to update the devices to the latest firmware. Further, hospitals should block the SMB protocol and should ensure the VLAN network is segregated. Additionally, best practices should be followed and only individuals who need access to the customer network should have it.

Moreover, AGW was informed about the vulnerability last November and will notify customers in the near future.

 

Contact LIFARS for penetration testing services today