Report: Nearly 75% of Infusion Pumps Affected by Severe Vulnerabilities

An analysis of knowledge crowdsourced from additional than 200,000 network-linked infusion pumps employed in hospitals and healthcare entities has discovered that 75% of those people health care products have security weaknesses that could put them at risk of likely exploitation.

“These shortcomings bundled publicity to just one or far more of some 40 regarded cybersecurity vulnerabilities and/or alerts that they experienced one or much more of some 70 other styles of regarded security shortcomings for IoT gadgets,” Unit 42 security researcher Aveek Das mentioned in a report revealed Wednesday.

Palo Alto Networks’ risk intelligence workforce stated it acquired the scans from 7 medical device makers. On prime of that, 52.11% of all infusion pumps scanned have been prone to two known vulnerabilities that had been disclosed in 2019 as aspect of 11 flaws collectively named “URGENT/11” –

• CVE-2019-12255 (CVSS score: 9.8) – A buffer overflow flaw in the TCP ingredient of Wind River VxWorks
• CVE-2019-12264 (CVSS rating: 7.1) – An issue with incorrect access control in the DHCP customer part of Wind River VxWorks

Other vital flaws impacting infusion pump are stated down below –

• CVE-2016-9355 (CVSS score: 5.3) – An unauthorized person with bodily entry to an Alaris 8015 Point of Care models might be capable to disassemble the machine to accessibility the detachable flash memory, allowing examine-and-produce accessibility to machine memory
• CVE-2016-8375 (CVSS score: 4.9) – A credential management mistake in Alaris 8015 Point of Treatment models that could be exploited to get unencrypted wi-fi network authentication qualifications and other delicate specialized knowledge
• CVE-2020-25165 (CVSS rating: 7.5) – An improper session authentication vulnerability in Alaris 8015 Position of Care models that could be abused to execute a denial-of-provider attack on the gadgets
• CVE-2020-12040 (CVSS score: 9.8) – Cleartext transmission of delicate information in Sigma Spectrum Infusion System
• CVE-2020-12047 (CVSS score: 9.8) – Use of tricky-coded FTP credentials in Baxter Spectrum WBM
• CVE-2020-12045 (CVSS rating: 9.8) – Use of tricky-coded Telnet credentials in Baxter Spectrum WBM
• CVE-2020-12043 (CVSS score: 9.8) – Baxter Spectrum WBM FTP services stays operational just after its anticipated expiry time till it really is rebooted
• CVE-2020-12041 (CVSS rating: 9.8) – Baxter Spectrum Wi-fi Battery Module (WBM) permits facts transmission and command-line interfaces over Telnet

Profitable exploitation of the aforementioned vulnerabilities could result in leakage of delicate facts pertaining to individuals and enable an attacker to attain unauthorized entry to the gadgets, necessitating that health and fitness devices are proactively safeguarded against threats.

Final yr, McAfee disclosed security vulnerabilities affecting B. Braun’s Infusomat Place Big Quantity Pump and SpaceStation that could be abused by malicious get-togethers to tamper with treatment doses with out any prior authentication.

The discovery “highlights the will need for the healthcare industry to redouble initiatives to protect in opposition to recognised vulnerabilities, when diligently pursuing greatest practices for infusion pumps and healthcare facility networks,” Das stated.

Found this article attention-grabbing? Observe THN on Fb, Twitter  and LinkedIn to examine a lot more special content we post.

Some sections of this post are sourced from:
thehackernews.com