Vulnerabilities in certain B.Braun infusion pumps and supportive battery packs could enable remote access with a low complexity cyberattack, according to a recent Cybersecurity and Infrastructure Security Agency alert.
The flaws were discovered and reported to the vendor by McAfee security researchers Douglas McKee and Philippe Laulheret. B. Braun issued a software update that will remedy the five vulnerabilities, and healthcare entities are being urged to apply the patch to prevent exploits.
The security flaws are found in B.Braun’s SpaceStation with SpaceCom 2 versions 012U000061, as well as its battery pack SP with WiFi installed in Infusomat Space Infusion Pumps and Perfusor Space Infusion pumps for all software versions 028U000061 and earlier. Products outside of the U.S. also include the Perfusor or Infusomat compactPlus and pump.
The most critical vulnerability is ranked 9.0 severity and found in SpaceCom2. An insufficient verification of data authenticity could enable a remote, unauthenticated attack to send malicious data to the device, instead of intended, correct data. It’s caused by a lack of cryptographic signatures on critical data sets, which results in full system command access.
“Unrecognized files may set the device in service mode. An upload cannot be done while a therapy is running. Only devices turned off or in standby mode may be affected,” according to B.Braun’s advisory.
SpaceCom2 also holds two vulnerabilities ranked 6.8 in severity.
The first involves an improper sanitization of input that could allow a remote, unauthenticated actor to gain user-level command-line access “by passing a raw external string straight through to printf statements.” An attacker would need to be on the same network as the device to successfully exploit the flaw.
The second flaw refers to the devices lacking authentication requirements on proprietary networking commands for critical functions, which would let a remote actor reconfigure the device from an unknown source.
The devices also allow unrestricted uploads of files with dangerous type, essentially allowing remote hackers to upload any file to the /tmp directory of the infusion pump directory via the webpage API. A successful exploit could let an attacker overwrite critical files.
The final vulnerability is ranked 5.9 in severity and caused by the device using cleartext transmission of sensitive data, which could enable an actor to intercept network traffic and steal sensitive information, including the critical values for the pump’s internal configurations.
“Successful exploitation of these vulnerabilities could allow a sophisticated attacker to compromise the security of the Space communication devices, allowing the attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution,” according to the B.Braun advisory.
“Under certain conditions identified below, successful exploitation of these vulnerabilities could allow an attacker to change the configuration of connected infusion pumps, which may alter infusions after a successful attack,” it added. “Change of a running therapy is not possible.”
Those conditions include when the devices are connected to the network, if an actor has network access, whether the attacker targets the impacted device with a specific attack, or when the infusion pump is turned off or in standby mode.
Healthcare entities in the U.S. and Canada should review B.Braun’s security advisory to obtain information on the vendor’s software update that will remediate these vulnerabilities. For now, there have been no public reports of exploitation in a real-world scenario.
B. Braun urged all entities using SpaceCom and the impacted battery pack with WiFi to review the enterprise IT infrastructure to ensure a network zone concept is implemented, where critical systems like infusion pumps are placed on separate environments that are not directly accessible from the internet. Those measures include firewalls or VLAN.
Further, wireless networks would employ multi-factor authentication, industry-standard encryption, and intrusion detection systems (IDS) or intrusion prevention systems (IPS).
“In some instances, standard IT security measures (e.g. blocking of ports) may limit the administrative functions of the product but will not impact the therapy related functions of the device,” B. Braun warned.
“Where it is necessary to reduce security measures to perform an administrative function, such actions should be temporary in nature, and the recommendations identified above reinstituted immediately upon successful completion of the function,” it concluded.
CISA reminded entities that an impact analysis and risk assessment should be performed prior to deploying these defensive measures. Entities should also consider locating control system networks and remote devices and isolating them from the enterprise network, while using secure methods when remote access is required.