U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Hackers can remotely access Smiths Medical Syringe Infusion Pumps to kill patients

The US-CERT is warning of hackers can remotely access Smiths Medical Syringe Infusion Pumps to control them and kill patients. IoT devices continue to enlarge our surface of attack, and in some cases, their lack of security can put our lives in danger. Let’s thinks for example of medical devices that could be hacked by attackers […]

Smiths Medical Syringe Infusion Pumps to control them and kill patients

The US-CERT is warning of hackers can remotely access Smiths Medical Syringe Infusion Pumps to control them and kill patients.

IoT devices continue to enlarge our surface of attack, and in some cases, their lack of security can put our lives in danger.

Let’s thinks for example of medical devices that could be hacked by attackers with serious consequences.
Earlier this month, the US Food and Drug Administration (FDA) recalled 465,000 pacemakers because they are vulnerable to hacking, million people in the United States urged to get their pacemakers updated.

In May, researchers from security firm White Scope analyzed seven pacemaker models commercialized by four different manufacturers and discovered that medical devices could be hacked with  “commercially available” equipment that goes between $15 to $3,000.

The FDA has recalled 465,000 pacemakers after discovering security vulnerabilities that could be exploited by hackers to reprogram the medical devices to run the batteries down or in a terrifying hacking scenario to modify the patient’s heartbeat.

The good news is that there are no reports of hacked pacemakers yet.

News of the day is that Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps used in acute critical care settings could be remotely controlled by attackers.

The medical devices are used worldwide for intensive care such as neonatal and pediatric intensive care and the surgery room.

The remotely exploitable vulnerability was discovered by the independent researcher Scott Gayou, the expert has found eight vulnerabilities in the Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pumps.

The bad news is that Smiths Medical will fix the flaws in the new release that is planning to release in January, 2018.

“Independent researcher Scott Gayou has identified eight vulnerabilities in Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump. Smiths Medical is planning to release a new product version to address these vulnerabilities in January, 2018. In the interim, NCCIC/ICS-CERT is recommending that users apply the identified compensating controls until the new version can be applied.” reads the advisory published by the NCCIC/ICS-CERT.

“These vulnerabilities could be exploited remotely.”

The following Medfusion 4000 Wireless Syringe Infusion Pump versions are affected by the vulnerabilities:

  • Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1,
  • Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.5, and
  • Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.6

Smiths Medical Syringe Infusion Pumps to control them and kill patients

Some of the flaws are high in severity and can be remotely exploited to “gain unauthorized access and impact the intended operation of the pump.”

“Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.” continues the US-CERT.

The most severe issue is the CVE-2017-12725 vulnerability, it is related to the presence of hardcoded credentials to automatically establish a wireless connection to a device with a default configuration.

The vulnerability has been rated with a CVSS score of 9.8

The list of high-severity vulnerabilities include:

  • CVE-2017-12718 – BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) – A buffer overflow vulnerability that could be exploited for remote code execution on the affected device.
  • CVE-2017-12720 – IMPROPER ACCESS CONTROL – The FTP server on the pump does not require authentication if the pump is configured to allow FTP connections.
  • CVE-2017-12724 – USE OF HARD-CODED CREDENTIALS – The FTP server on the pump contains hardcoded credentials, which are not fully initialized. The FTP server is only accessible if the pump is configured to allow FTP connections.
  • CVE-2017-12721 – IMPROPER CERTIFICATE VALIDATION – The pump does not validate host certificate, leaving the pump vulnerable to a man-in-the-middle (MITM) attack.

The other vulnerabilities are medium severity flaws that could be exploited by hackers:

  • to crash the communications and operational modules of the medical device.
  • to authenticate to telnet using hard-coded credentials.
  • to obtain passwords from configuration files.
The ICS-CERT provided recommendations to healthcare organizations are to protect the devices, including:
  • disconnecting the pump from the network until the product fix can be applied;
  • disable the FTP server on the pump.
  • assigning static IP addresses to pumps;
  • close unused ports:
  • consider the use of network virtual local area networks (VLANs) for the segmentation of the Medfusion 4000 medical infusion pumps.
  • monitoring network activity for malicious servers:
  • use strong passwords;
  • monitor and log all network traffic attempting to reach the affected products
  • regularly creating backups;

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Smiths Medical Syringe Infusion Pumps, hacking)

[adrotate banner=”12″]