According to data collected from over 200,000 network-connected medical infusion pumps used to provide medication and fluids to patients, 75% of them have known security flaws that attackers might abuse. Researches reveal that thousands of devices are vulnerable to six critical-severity vulnerabilities (9.8 out of 10) found in 2019 and 2020.
Palo Alto Networks researchers examined the security condition of over 200,000 infusion pumps using data received from customers and discovered that between 30,000 and at least 100,000 of them are exposed to significant security flaws. The most frequently encountered critical-severity weakness found is CVE-2019-12255. It is a memory corruption vulnerability in the VxWorks real-time operating system (RTOS) used for embedded devices, particularly infusion pump systems.
According to Palo Alto Networks, the weakness is found in 52 percent of the examined infusion pumps, or over 104,000 devices. CVE-2019-12255 is one of 11 vulnerabilities known as ‘URGENT/11’ researchers at Armis (a firm that provides security for connected devices) found and disclosed in 2019.
Wind River, the company that supports VxWorks RTOS, has patched all URGENT/11 concerns since July 19, 2019. However, in the embedded device world, large delays in applying updates or not installing them at all are well-known issues. The remaining five critical-severity bugs were discovered in June 2020 and impact items made by the American healthcare corporation Baxter International. They are:
- CVE-2020-12040 – CVSS score of 9.8 (Critical)
- CVE-2020-12047 – CVSS score of 9.8 (Critical)
- CVE-2020-12045 – CVSS score of 9.8 (Critical)
- CVE-2020-12043 – CVSS score of 9.8 (Critical)
- CVE-2020-12041 – CVSS score of 9.8 (Critical)
According to Baxter’s security alert at the time, most of them may be exploited if the actor is already on the network, which is not unusual. The flaws vary from cleartext data transfer without authentication to hardcoded passwords and inappropriate permissions, allowing access to sensitive data or modifying the Wireless Battery Module’s network setup.
Although no patches are available for these vulnerabilities, Baxter has provided a set of mitigations (such as segmentation and monitoring) to reduce the risk of them being exploited, as well as a recommendation to upgrade to the newer Spectrum IQ Infusion system, which is not affected by the above issues. According to a CISA alert, a low-skilled attacker might exploit them.
Palo Alto Networks has recommended that healthcare institutions implement a proactive security approach for protecting devices from known and unknown threats, which begins with an accurate inventory of all systems on the network. The researchers said that not all of the vulnerabilities currently impacting the assessed infusion pumps are feasible for remote attacks. Still, they do pose a “risk to the general security of healthcare organizations and the safety of patients.”