Hackers can remotely access Smiths Medical Syringe Infusion Pumps to kill patients

The US-CERT is warning of hackers can remotely access Smiths Medical Syringe Infusion Pumps to control them and kill patients.

IoT devices continue to enlarge our surface of attack, and in some cases, their lack of security can put our lives in danger.

Let’s thinks for example of medical devices that could be hacked by attackers with serious consequences.
Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers because they are vulnerable to hacking, million people in the United States urged to get their pacemakers updated.

In May, researchers from security firm White Scope analyzed seven pacemaker models commercialized by four different manufacturers and discovered that medical devices could be hacked with  “commercially available” equipment that goes between $15 to $3,000.

The FDA has recalled 465,000 pacemakers after discovering security vulnerabilities that could be exploited by hackers to reprogram the medical devices to run the batteries down or in a terrifying hacking scenario to modify the patient’s heartbeat.

The good news is that there are no reports of hacked pacemakers yet.

News of the day is that Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled by attackers.

The medical devices are used worldwide for intensive care such as neonatal and pediatric intensive care and the surgery room.

The remotely exploitable vulnerability was discovered by the independent researcher Scott Gayou, the expert has found eight vulnerabilities in the Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps.

The bad news is that Smiths Medical will fix the flaws in the new release that is planning to release in January, 2018.

“Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.” reads the advisory published by the NCCIC/ICS-CERT.

“These vulnerabilities could be exploited remotely.”

The following Medfusion 4000 Wireless Syringe Infusion Pump versions are affected by the vulnerabilities:

• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1,
• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5, and
• Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6

Some of the flaws are high in severity and can be remotely exploited to “gain unauthorized access and impact the intended operation of the pump.”

“Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.” continues the US-CERT.

The most severe issue is the CVE-2017-12725 vulnerability, it is related to the presence of hardcoded credentials to automatically establish a wireless connection to a device with a default configuration.

The vulnerability has been rated with a CVSS score of 9.8

The list of high-severity vulnerabilities include:

• to crash the communications and operational modules of the medical device.
• to authenticate to telnet using hard-coded credentials.
• to obtain passwords from configuration files.