McAfee security researchers said on August 24, local time, that they discovered multiple vulnerabilities in infusion pump software that, under certain conditions, could be exploited by skilled hackers to alter a patient’s drug dose to potentially unsafe levels. The vulnerabilities reside in devices manufactured by multinational supplier B. Braun, which are used in pediatric and adult medical facilities in the United States.
While there have been no reports of malicious exploitation of these vulnerabilities, this research shows that in today’s 21st century era of pervasive digital threats, there are significant challenges in protecting devices from decades ago. The findings come as the healthcare industry faces a spate of ransomware attacks on aging hospital computer networks during the pandemic.
Steve Povolny, who leads McAfee’s advanced threat research team, said medical devices “remain vulnerable to legacy issues that have been around for years, with unusually slow update or upgrade cycles.” The researchers found five previously unreported health care systems vulnerabilities, including:
CVE-2021-33886 – Use of external control format strings (CVSS 7.7)
CVE-2021-33885 – Insufficient validation of data authenticity (CVSS 9.7)
CVE-2021-33882 – Authentication missing key features (CVSS 8.2)
CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
CVE-2021-33884 – Unrestricted upload of files with dangerous types (CVSS 5.8)
Taken together, these vulnerabilities could be used by malicious actors to modify the configuration of the pump while the pump is in standby mode, resulting in an unexpected dose of the drug being delivered to the patient the next time it is used – all with zero authentication. In accordance with McAfee’s Vulnerability Disclosure Policy, its preliminary findings were reported to B. Braun on January 11, 2021. Shortly thereafter, they responded and began an ongoing dialogue with ATR while working towards the mitigations we outlined in our disclosure report.
B. Braun said in a statement that it disclosed the vulnerabilities, along with mitigations, to customers and the Health Information Sharing and Analysis Center in May, affecting “a small percentage of usage B. Braun Devices with Older Versions of Software”. The company did not provide an estimated number of affected devices.
“We strongly disagree with McAfee’s description in his post that this is a ‘real-world scenario’ where patient safety is at risk,” B. Braun’s statement continued. “We have a robust vulnerability disclosure program, and when a vulnerability is discovered, our goal is to reduce the potential risk as quickly as possible.”
The research comes with a few caveats: The attack scenario requires the hacker to first access the local network the device is running on, and the infusion pump must be on standby, not in use. The complete and attack chain is shown below.
Medical professionals also monitor the dose delivered by the infusion pump and are trained to spot abnormalities. Still, Povolny and his colleagues demonstrated how attackers could surreptitiously alter drug doses — without the machine knowing.
Once inside the syringe pump’s communication module, the McAfee researchers showed how they could inject code into the binary that the machine uses to communicate with the pump’s configuration. To cover their tracks, the researchers simply restarted the syringe pump, erasing evidence of their order, they said.
According to the McAfee researchers, while the latest version of the Braun infusion pump blocks researchers’ access to the infusion pump’s communication module, there are other possible points of entry for hackers. B. Braun has yet to release a software update that fully addresses the security issue, the researchers said.
(McaFee Advanced Threat Research Team Demonstrates Attack on Braun Infusion Pump)
A spokeswoman for the Food and Drug Administration (FDA) said the agency had not been informed of the disclosure of the breach.
An FDA spokesperson said: “The FDA will contact researchers to review vulnerability information after it is released, and will coordinate with medical device manufacturers to review impact assessments to determine whether there are potential patient safety concerns that may involve regulation. “
It is estimated that more than 200 million intravenous infusions are administered globally each year. The infusion pump market is clearly a potential target for attackers. The market has an estimated annual revenue of $54 billion, with U.S. intravenous pump sales of $13.5 billion in 2020. Intravenous pumps are considered safe by nature and have over time become the backbone of effective and accurate drug delivery. B. Braun is one of the major market share holders in this fast-growing market, underscoring the impact of these vulnerability findings. Headquartered in Pennsylvania, with offices around the world, B. Braun had $8.7 billion in sales last year.
In recent years, the FDA has sought to urge suppliers to take better security measures as researchers examine medical devices more closely for hackable vulnerabilities.
In 2019, for example, the FDA asked patients to switch to a safer insulin pump model after researchers showed that hackers could potentially control insulin delivery on an insulin pump made by major supplier Medtronic.
A growing number of medical device vendors have established vulnerability disclosure programs in which researchers can report software flaws before bad actors exploit them. But experts say the industry is still struggling to quickly apply critical software updates.
McAfee’s research is the latest in real-time operating systems (RTOS), the software hubs that manage network data flows in areas such as energy and healthcare. BlackBerry confirmed last week that the real-time operating system (RTOS) popular in infusion pumps is also vulnerable to a separate set of denial-of-service vulnerabilities.
In the conclusion of his blog post, McAfee wrote, “We hope this research will help bring awareness to this area that has long been a blind spot. Dr. Nordeck, MD, is an interventional radiology resident at a Level 1 Trauma Center. Physician, formerly Army Medic and Allied Health Officer. In the field of medicine for over 20 years.) affirmed the importance of this research, saying: Manipulating medical devices in a way that actually weaponizes them, something that only Hollywood had conceived before, and that McAfee’s ATR team has proven possible. “The explicit goal of a device manufacturer to produce a safe and reliable product demonstrates the importance of built-in safeguards. However, there may be flaws that could make a device succumb to a ransomware attack or potential harm. Therefore, manufacturers should contact security professionals with People collaborate and independently test their products to discover and correct potential threats to maintain patient safety and device safety.”
The Links: FS35R12W1T4 LQ104X2LX11