Infusion Pump vulnerabilities allows cyber criminals to hijack hospital ICUs or kill patients

It is a known fact that all kinds of critical medical equipment such as pacemakers, insulin suppliers and monitors are affected by severe security flaws. One of the latest reports on the subject indicates the detection of a severe flaw that allows altering the supply of medicines to patients who depend on the infusion pumps B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation.

This is not a new problem. It is enough to remember that, between 2005 and 2009, the U.S. Food and Drug Administration (FDA) received almost 60 thousand reports related to flaws in infusion pumps from various manufacturers. The exploitation of these vulnerabilities is a severe risk, since a successful attack would represent alterations in the health of the affected patients.

Although companies like B. Braun implement strict security settings in their software, on more than one occasion it has been shown that it is possible to compromise these implementations. This time, researchers at the McAfee firm demonstrated what appears to be a functional variant of the attack.

Steve Povolny, director of research at McAfee, says, “Breaking the security boundary between the operating system and the actual device and gaining access to interact between these two elements is the key to the attack.”

A threat actor with access to a health center’s network could take control of these devices through the exploitation of a known vulnerability. At this point, hackers could exploit four additional flaws to disrupt the drug supply; although the attack is highly complex and necessarily requires a first point of support in the compromised facility, the risk of exploitation is real.

B. Braun points out that the flaws are linked to a small number of devices running older versions of the software, noting that there is no evidence of exploitation in real-world scenarios.

About this report, the manufacturing company mentions that the use of the latest versions of the software, released in October, completely mitigates the risk of exploitation. B. Braun also recommends the implementation of other security mechanisms, such as network segmentation and multi-factor authentication.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.