The U.S. Cybersecurity and Infrastructure Security Agency (CISA) today issued a warning on some Baxter (NYSE:BAX) infusion pumps.
Sigma and Baxter Spectrum infusion pumps are included in a CISA notice over remotely exploitable vulnerabilities. Those vulnerabilities include: missing description of sensitive data, use of externally controlled format string and missing authentication for critical functions.
The successful exploitation of the vulnerabilities could allow access to sensitive data. It could also result in the alteration of system configuration.
Overview of vulnerabilities
Patient health information (PHI) can be stored in unencrypted form. An attacker with physical access to a device without all data and settings erased may be able to extract sensitive information. Only Baxter’s Spectrum IQ pumps store PHI using auto programming.
When in superuser mode, pumps are susceptible to format string attacks via application messaging. An attacker may use this to read memory in the pump to access sensitive information. It could also result in the denial-of-service condition.
Baxter’s Spectrum does not perform mutual authentication with the gateway server host, according to the CISA notice. This could allow a machine-in-the-middle attack that modifies parameters, making the network connection fail.
Affected infusion pumps
- Sigma Spectrum v6.x model 35700BAX
- Sigma Spectrum v8.x model 35700BAX2
- Baxter Spectrum IQ (v9.x) model 35700BAX3
- Sigma Spectrum LVP v6.x Wireless Battery Modules v16, v16D38, v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
- Sigma Spectrum LVP v8.x Wireless Battery Modules v17, v17D19, v20D29 to v20D32, and v22D24 to v22D28
- Baxter Spectrum IQ LVP (v9.x) with Wireless Battery Modules v22D19 to v22D28
What should users do?
Baxter said that software updates are in progress to disable Telnet and FTP. The company included software updates addressing the format string attack in some versions. In other Spectrum IQ versions, authentication is already available.
The company is in the process of incorporating instructions to erase data and settings into the operator’s manual. Baxter recommends that users reset the network settings, delete the drug library and clear the history log.
Further instructions are available in the CISA notice.