Posted 08 September 2017
By Michael Mezher
The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (DHS ICS-CERT) on Thursday issued an advisory detailing eight cybersecurity vulnerabilities found in Smiths Medical's Medfusion 4000 wireless infusion pumps.
The vulnerabilities, identified by cybersecurity researcher Scott Gayou, range in severity from low severity to critical on the Common Vulnerability Scoring System (CVSS V3), and according to ICS-CERT, could be exploited remotely by a skilled hacker.
"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump," ICS-CERT says.
But despite this, Smiths Medical says it is "highly unlikely" that the vulnerabilities would be exploited in a clinical setting, and that it is planning to release an update to address the vulnerabilities by mid-January 2018.
Smiths also says it has been working with ICS-CERT and the US Food and Drug Administration (FDA) to mitigate the cybersecurity issues.
The advisory lists eight vulnerabilities found on three versions of Smiths' Medfusion 4000 Wireless Syringe Infusion Pump (versions 1.1, 1.5 and 1.6).
Six of the vulnerabilities involve the use of hard-coded credentials, authentication gaps and certificate validation issues, which could allow a hacker to gain access to the device.
The other two involve third-party components. One of which is a component that "does not verify buffer size prior to copying, leading to a buffer overflow, allowing remote code execution on the target device." But the advisory notes that the pump receives these inputs infrequently and only under certain circumstances, which make the vulnerability more difficult to exploit.
The second relates to a component that that could cause memory out of bounds errors, which could cause the devices communications module to crash, though Smiths says this type of crash would not impact the device's therapeutic functionality.
To mitigate the risks posed by the vulnerabilities, ICS-CERT says that facilities using the devices should conduct a risk assessment to determine whether they should disconnect the pumps from their network until a fix is available.
While disabling networking features would minimize the possibility of attacking the devices, ICS-CERT says this would require staff to manually update the pumps' drug libraries.
If the devices remain networked, ICS-CERT says users should close off several ports, including Port 20/FTP, Port 21/FTP and Port 23/Telnet and ensure the FTP server is disabled.
Additionally, ICS-CERT says that network traffic to the devices should be monitored and logged and that the devices should be isolated from the Internet and any untrusted systems.
Advisory, Smiths Statement