Lives at risk, medical pumps still vulnerable
Medical infusion pumps are modern life-saving devices…… frequently harbour severe security vulnerabilities that, if exploited, could result in death or serious injury Three-Quarters of Medical Infusion Pumps Still Vulnerable, Putting Lives at Risk Medical infusion pumps are modern life-saving devices which deliver controlled doses of fluids, such as medications, directly into a patient’s body. Designed to be used for up to 10 years, these devices are widely used in hospitals, care facilities, and in the home. However, these devices frequently harbour severe security vulnerabilities that, if exploited, could result in death or serious injury. A recent report from researchers at Palo Alto Networks’ Unit 42 revealed that three-quarters of 200,000 medical infusion pumps discovered using Palo Alto Networks’ IoT Security for Healthcare system were impacted to some extent by known vulnerabilities. Over 100,000 of the scanned pumps were found to have severe security flaws. Troublingly, these vulnerabilities are not unknown; they were disclosed in 2019 and dubbed the URGENT/11. One of these vulnerabilities, labelled CVE-2019-12255 is related to the Wind River VxWorks operating system used by medical and other industrial devices, and is a Buffer Overflow flaw in the TCP component, earning it a Common Vulnerability Scoring System (CVSS) severity score of 9.8 out of 10. A second serious vulnerability, CVE-2019-12264 (CVSS score of 7.1) also relates to the Wind River VxWorks OS, where in several versions, the Access Control in IPv4 assignment by the DHCP client component is flawed. A History of Significant Vulnerabilities Has Effected Little Change There have been several instances of serious security flaws being discovered in medical pump devices over the past several years. For example, in May 2015, ICS-CERT published an advisory detailing several critical vulnerabilities in the Hospira LifeCare patient-controlled analgesia (PCA) infusion systems. These systems deliver measured doses of analgesic medication. The vulnerabilities could allow a remote attacker could take complete control of affected devices. In October 2016, Rapid 7 reported that OneTouch Ping insulin pumps have several vulnerabilities that could be remotely exploited. The vulnerability lies between the pump and its remote control, which communicate with each other via an unencrypted channel (CVE-2016-5084), potentially allowing man-in-the-middle (MitM) attacks. In addition, the device has an issue with weak pairing between the pump and the remote (CVE-2016-5085), leaving the device open to spoofing attacks where the remote and its commands are impersonated. Although the OneTouch Ping pump and its remote are not connected to the Internet, attacks could still be carried out remotely from up to a mile away. The problem of remotely exploitable vulnerabilities in medical pumps persisted in 2017, when eight remotely exploitable vulnerabilities were reported in the Smiths Medical Medfusion 4000 wireless syringe infusion pumps. An ICS-CERT advisory indicated that several of the vulnerabilities were critical or high severity issues. The company quickly worked to issue patches for the security flaw. Seeing a need for practical guidance in the safe deployment and use of medical pumps, the National Institute of Standards and Technology (NIST) published SP 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations in 2018, with the intention of providing practical and usable advice on the configuration and deployment of wireless infusion pumps. Less than a year later in June of 2019, the U.S. Food and Drug Administration (FDA) and Medtronic informed the public of a recall of the MiniMed 508 and the Paradigm series insulin pumps, citing remotely exploitable vulnerabilities. URGENT/11 Still an Issue After 3 Years The following month, Armis announced the discovery of the URGENT/11, a group of 11 zero-day vulnerabilities in the VxWorks IPnet stack. Six of the vulnerabilities were critical Remote Code Execution (RCE) issues, which could allow complete remote takeover without any user action. Alarmingly, medical infusion pumps are not the only devices impacted by the URGENT/11; SCADA devices, industrial controllers, patient monitors, MRI machines, firewalls, VOIP phones, and printers were also found to be vulnerable to the URGENT/11, due to their use of VxWorks software. And if all that was not bad enough, the URGENT/11 vulnerabilities allow an attacker to broadcast malicious packets throughout a network and simultaneously take control of all VxWorks devices receiving them. In October 2019, researchers who had been worried that URGENT/11 may impact any device that used IPnet in their Real-Time Operating Systems (RTOS) had their worst fears confirmed. Armis identified six additional Real-Time Operating Systems (RTOS) that supported IPnet TCP/IP stack, including “OSE by ENEA, Integrity by Green Hills, ThreadX by Microsoft, Nucleus RTOS by Mentor, ITRON by TRON Forum, and ZebOS by IP Infusion”. The researchers warned that potentially millions of additional medical, industrial, and enterprise devices were at risk from the URGENT/11 vulnerabilities.
Amis researchers have continued to monitor the number of devices vulnerable to the URGENT/11. As of December 2020, they estimated that approximately 97% of all OT devices impacted by the URGENT/11 vulnerabilities had not been patched. Even as millions of devices go unpatched to known critical vulnerabilities despite guidance on configuration and deployment from organisations like NIST, security researchers continue to find new vulnerabilities in medical pumps that could be remotely exploited to alter a patient’s dosage. In August 2021, severe vulnerabilities were identified in B. Braun’s Infusomat Space large volume infusion pump and SpaceStation system potentially leading to the manipulation of lethal doses of medication, and in October, the Medtronic recall was expanded to include the optional remote controllers, with the FDA ominously warning that use of the devices may cause serious injuries or death. Patch and Monitor is Still the Best Advice In addition to securing devices against known threats with the latest security updates, networks should also be monitored for suspicious activity. Specifically, defenders should be on the look out for the most common issues and indicators of malicious activity in infusion pump systems, including:
- Large numbers of reset packets originating externally, potentially indicating continuous unsuccessful connection attempts to a device.
- Garbage values in the User-Agent string of a HTTP request between the infusion system and the corresponding destination can indicate suspicious behaviour.
- Unencrypted credentials in HTTP requests can be intercepted by a malicious actor.
- Factory default credentials used in inbound HTTP or FTP logins.
- Unusual port numbers and counts in incoming and outgoing traffic in the infusion system may indicate suspicious activity.
- Unsecured outbound HTTP or FTP connections from infusion systems to the internet. These should be limited to local VLAN traffic.
- Anonymous FTP login attempts without a specific username or password via the local network may indicate malicious activity.