Security flaws found in wireless syringe infusion pumps could see hackers remotely causing harm to patients
Security experts have uncovered vulnerabilities in wireless syringe infusion pumps, which could be exploited remotely by hackers to operate the device and cause harm to patients.
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) issued an advisory late last week, detailing eight cybersecurity vulnerabilities found in Medfusion 4000 wireless infusion pumps devices, manufactured by Smiths Medical.
Wireless syringe pumps are connected medical devices used by healthcare professionals worldwide that are used to deliver small doses of medication “in acute care settings”. They’re also used to deliver medication to critical care patients including neonatal and pediatric intensive care units as well as the operating room.
According to ICS-CERT, the vulnerabilities, uncovered by independent security researcher Scott Gayou, could be exploited remotely by a competent hacker. Gayou said cybercriminals could use this flaw to launch MITM (man-in-the-middle) attacks, automatically establish a wireless network connection and operate modules of the device.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorised access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” ICS-CERT said in its advisory.
“Impact to individual organisations depends on many factors that are unique to each organisation. ICS-CERT recommends that organisations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage.”
However, Smiths Medical has claimed that an attack of this nature is “highly unlikely”, and doesn’t plan to release patches for the bugs until they release a new version of the device, set for mid-January 2018.