The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has sent a legal notice on 7th September 2017 for the Smiths Medical Medfusion Wireless Syringe Infusion Pumps considering the 8 vulnerabilities identified by Independent researcher Scott Gayou.
Internet of Things(IoT) is the talk of the town now, where everything is connected to one another via Internet. IoT is spreading to almost every industry making the already smart devices even smarter. Yeah, I can get what you are thinking about. Wouldn’t it be a problem if everything is connected to everything? So, breaching one device could totally ruin everything! One must be smart enough to use the smart devices and know what to connect and what not to. After the recent Peacemakers issue toiled by the FDA (US Food and Administration) which was found vulnerable to hackers, now even medical devices are under the radar!
Technology isn’t the only one that keeps updating, but so are the hackers.
Scott Gayou, an independent researcher identified eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pumps. ICS-CERT considering these vulnerabilities, which could be fatal on breach of hackers, issued a warning on Thursday.
Wireless Syringe Infusion Pump are Wi-Fi enabled medical devices that deliver fluids into a patient’s body in controlled amounts. Security threats give way for hackers to access those controlled amounts. Over dosage of fluids can be fatal.
ICS-CERT stated that the device can be easily breached by a hacker through the therapeutic module of the pump
What went wrong?
· Authentication failure- The pump is configured to allow FTP connections. So, the hacker could easily attack as the IP addresses aren’t static.
· Buffer Overrun – This bug is an anomaly where the buffer’s boundary overruns and thus overwrites the data in an adjacent memory location. So, the hacker can exploit the data from remote conditions.
· Hard Coded Credentials – If the data or input is embedded within the software code it is called hard coded credentials. Changing or formatting the data could exploit the core software itself. This typically leads to a significant authentication failure.
· Validation failure – Lack of proper host certificate validation leaves the pump vulnerable to Man-in-the-Middle (MITM) attacks.
· Modularity bugs – The Communication and Operational modules of the device can be crashed using hard coded credentials, accessing config files because of improper authentication.
And the solution is…
Prevention is better than cure!
The 1.1,1.5 and 1.6 versions of the impacted devices are put off from use considering how fatal it could be if breached.
The healthcare organizations are asked to apply few defensive measures like
Ø Assigning static IP addresses to pumps
Ø Monitoring network activity for malicious servers
Ø Installing the pump on isolated networks
Ø Setting strong passwords
Ø Regularly creating backups
Smiths Medical has decided to address these security flaws and release the updated version of the same device by January 2018.