B. Braun Infusomat pumps could be hacked to alter medication doses

Researchers disclosed five vulnerabilities in B. Braun ‘s Infusomat Space Large Volume Pump and SpaceStation that could be remotely hacked.

Cybersecurity researchers from McAfee disclosed five vulnerabilities in B. Braun’s Infusomat Space Large Volume Pump and SpaceStation that could be exploited by threat actors to alter medication doses.

The flawed devices are uses in both adult and pediatric medical facilities. The research was conducted with the support of Culinda, a trusted leader in medical cybersecurity. The five previously unreported vulnerabilities in the medical system are:

1. CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
2. CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
3. CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)
4. CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
5. CVE-2021-33884 – Unrestricted Upload of File with Dangerous Type (CVSS 5.8)

These vulnerabilities could be chained to modify a pump’s configuration while the device is in standby mode, this will cause an unexpected dose of medication to be delivered to a patient in its next use. An attacker doesn’t need any authentication to conduct the attack.

The system analyzed by the experts is composed of three main components, a B. Braun Infusomat Large Volume Pump Model 871305U (the actual infusion pump), a SpaceStation Model 8713142U (a docking station holding up to 4 pumps), and a software component called SpaceCom version 012U000050. These

The flaws were privately reported to the medical manufacturer on January 11 that addressed in B. Braun in SpaceCom L82 or later, Battery Pack SP with WiFi:L82 or later, and DataModule compactplus version A12 or later.

“Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of the Space or compactplus communication devices, allowing an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.” reads the advisory published by B. Braun. “Under certain conditions, successful exploitation of these vulnerabilities could allow an attacker to change the configuration of a connected infusion pump Perfusor®, Infusomat®, Infusomat® P from both Space and compactplus family which may alter infusions after a successful attack.”

Experts pointed out that the attacks can only be conducted when a pump is idle or in standby mode in between infusions, anyway an attacker needs to have access to the local network to target the pumps.

“Although this attack chain presents a complete method to modify critical pump data, it is important to recognize the conditions required for this attack to be successful. These pumps are designed to be network connected to a local internal network. Therefore, under normal operating conditions an attacker would need to have found a method to gain access to the local network.” reads the analysis published by the researchers. “Could this attack take place over the internet? Technically speaking, yes; however, it would be very unlikely to see a setup where a pump is directly internet-connected.”

Experts highlighted that for attackers it is not difficult to gain access to local networks, they also pointed out that hospital or medical facilities are generally public places with little to no barriers to entry.

In the below video experts initially shows the pump under normal operation, then they modify the configuration remotely chaining the above issues and illustrates the effect on the pump when administering medication.

“Now that we have an idea of what happens to the device when we alter its internal configuration, we can consider how this could play out in the real world. As mentioned previously, medical staff are expected to be extra-careful when using these devices, ensuring the numbers match the doctor’s order.” concludes McAfee.

“All facilities utilizing SpaceCom, Battery Pack SP with WiFi, and DataModule compactplus should review their IT infrastructure to ensure that a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments which are not accessible directly from the internet or by unauthorized users,” concludes the advisory from B. Braun said in an advisory published on May 14, 2021. “Wireless networks should be implemented using multi-factor authentication and industry standard encryption and should be equipped with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS),”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, B. Braun)

[adrotate banner=”5″]

[adrotate banner=”13″]