The Infusomat Space Large Volume Pump and SpaceStation from Braun had major security flaws that may have been exploited by threat actors to change medication doses without prior authorization.
McAfee cybersecurity experts uncovered and revealed five previously unknown security vulnerabilities in B.Braun Infusomat Pumps.
On January 11, 2021, the researchers notified the German medical and pharmaceutical device company of the vulnerabilities. The “modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication”, they said.
B. Braun resolved the issues with SpaceCom L82 and later, Battery Pack SP with WiFi:L82 and later, and DataModule compactplus version A12 and later.
Infusion pumps are medical devices that administer controlled amounts of intravenous fluids into a patient’s body, such as nutrition and drugs. SpaceStation is a medical facility-specific docking and communication system that can support up to four infusion pumps.
The devices are controlled by a software component called SpaceCom, which is an embedded Linux system that operates either on the pump or within the SpaceStation.
The flaws discovered could allow an attacker to gain elevated access, read sensitive data, upload arbitrary files, and execute code remotely.
An attacker might use the flaws to change the configuration of a pump while it is in standby mode, leading in an unexpected dose of medication being delivered to a patient on the next use – all without requiring any authentication.
An attacker could send commands or data to the pump’s operating system, allowing for remote attacks that not only go undetected, but also weaponize the device by changing the amount of medication a patient is supposed to get via infusion.
The attacks will succeed only while a pump is inactive or in standby mode between infusions, and the threat actor must first get access to the local network, or potentially carry out the attacks over the internet if the pumps are directly exposed.
Braun stated in an advisory that all facilities using SpaceCom, Battery Pack SP with WiFi, and DataModule compactplus should examine their IT infrastructure to ensure that a network zone concept has been established in which vital equipment, such as infusion pumps, are kept in separate (e.g., by firewalls or VLAN) environments that are not accessible directly from the internet or by unauthorized users.
The company also noted that wireless networks should be equipped with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS) and use multi-factor authentication and industry standard encryption (IPS).
You might also like:
Mirai botnet targets several devices using Realtek SDK
Diavol ransomware sample reveals potential link to TrickBot gang
Threat actor asks insiders help to plant Black Kingdom ransomware