A group of five vulnerabilities in the B. Braun Infusomat Space Large Volume Pump could allow an attacker to modify system configurations in standby mode and deliver an unexpected dose of medication to patients without any need for authentication, according to a new report from McAfee Enterprise Advanced Threat Research.
The series of flaws outlined in the report highlight the continued challenges to securing medical devices within the health care space. It also provides an in-depth look at just how easily a compromised device could directly put patient safety at risk.
The McAfee research team partnered with Culinda and analyzed the B. Braun infusion pump and its SpaceStation platform, commonly used in both adult and pediatric care settings. The team sought to determine whether an attacker could impact patient safety by exploiting a vulnerability in a real-world setting.
The discovered flaws were found in the infusion pump itself and SpaceStation model 871305U, a docking station able to hold up to four pumps, along with the SpaceCom version 012U000050 software component.
McAfee found that with access to the device, they were able to modify disposable and configuration data on the pump. As a result, a malicious exploit could result in a number of patient safety and data risks.
For one, an attacker could put the device in an unusable state or write arbitrary messages. The researchers also focused on “disposable data,” which they determined demonstrated the biggest risk to patient safety. By exploiting the flaws, the researchers remotely modified the configuration through an attack chain.
Two of the vulnerabilities are found in the use of a PCS binary and how it interfaces with the CAN bus through a canon binary. The communication channel interfaces with a proprietary TCP networking protocol sent by default over port 1500. The researchers determined the protocol is both unencrypted and unauthenticated, posing a serious risk to data.
McAfee relied heavily on these weaknesses to perform its research and attacks on the pumps. While on the device, the researchers performed further reconnaissance and found a remote interface listening connected to a common open source service known as “json-dbus-bridge.”
The interface held a format string vulnerability, first disclosed by a third-party vendor in 2015 and left unpatched within the infusion pump, as it wasn't part of the B. Braun software update. By leveraging the interface flaw, the researchers created a working exploit to gain level shell access to the device.
Given the impact to unpatched devices, McAfee did not fully detail the exploit.
“SpaceCom is an embedded Linux system that can run either on the pump from within its smart-battery pack or from inside the SpaceStation. However, when the pump is plugged into the SpaceStation, the pump’s SpaceCom gets disabled,” researchers explained. The devices were examined when connected to the SpaceStation to mimic the most common use case.
The infusion pumps also held a privilege escalation flaw tied to the web interface, which has backup and export options that rely on tarring a folder. Further probing determined that as the backup archive can be downloaded to later restore settings, the “root is the user doing the untarring in such a way that file permissions are being preserved from the provided tar file.”
If an attacker were to tamper with the archive, they would be able to create a privilege escalation scenario by embedding a crafted binary in the archive. Researchers found that the import/export code itself fueled this capability.
B. Braun also examined this attack scenario and found “an authenticated arbitrary file upload vulnerability combined with an unvalidated symbolic link and local privilege escalations enables attackers to execute commands as the root user.”
The researchers also determined that a subset of keys could be indirectly modified through servicing software designed for use by certified technicians.
Fortunately, to successfully exploit the discovered flaws, an attacker would already need access to the local network. It’s technically possible for a threat actor to exploit the vulnerability over the internet. But “it would be very unlikely to see a setup where a pump is directly internet-connected.”
In addition, the pump does have safeguards in place that prevent modifications from occurring when the pump is operational. The researchers found that “if the pump is actively administering medication, it ignores any request on the CAN bus to modify library or configuration data.”
As a result, the pump must be idle or in standby mode between infusions for an attack to find success. But even in a busy hospital setting, researchers explained that pumps are not always active and that reiterates the importance of mitigating these flaws.
“The prerequisites for this attack are minimal and are not enough to mitigate the overall threat,” researchers warned. “In today’s world there are a wide range of documented and utilized methods for attackers to gain access to local networks.”
“If we also consider that hospitals or medical facilities are generally public places with little to no barriers to entry, it is easy to see how someone malicious can go unnoticed and obtain network access,” they added.
The full report highlights key attack methods and exploit possibilities, which can help security leaders better understand how these vulnerabilities could impact device function and overall patient care.
The discovered vulnerabilities were previously unreported and disclosed to B. Braun on Jan. 11, 2021. The teams worked together to develop mitigations for these flaws, and B. Braun then provided a software update to address those flaws.
However, McAfee found that an attacker would only need to find and exploit another network-based vulnerability to leverage the flaws discovered by the team, which would then compromise the impacted pumps.
Further, the vulnerabilities are still active and widely deployed in software used across a range of U.S. medical care sites, which means the devices are still at risk of compromise.
“Until a comprehensive suite of patches is produced and effectively adopted by B. Braun customers, we recommend medical facilities actively monitor these threats with special attention and follow the mitigations and compensating controls provided by B. Braun Medical Inc. in their coordinated vulnerability disclosure documentation,” the researchers warned.
The McAfee report provides real-world evidence of the continued challenges faced by both device manufacturers and health care providers in securing the complex ecosystem of devices, given that no device is a standalone platform. Patching is not as simple as pushing a button. Often, it involves physically touching every device in need of an update, which is more than burdensome when most health systems have thousands of devices.
Providers should review guidance developed by The Healthcare and Public Health Sector Coordinating Council (HSCC), which can help device manufacturers, health IT vendors, providers, and other stakeholders enhance device security throughout device lifecycles.