April 20, 2022 Rapid7 discovered vulnerabilities in two TCP/IP-enabled medical devices manufactured by Baxter Healthcare.
The defects, a total of four, affected the SIGMA Spectrum infusion pump and the SIGMA WiFi battery.
Nearly five months after Rapid7 first reported the Baxter issues, the companies now reveal that they have been working together to discuss the impact, remediation and coordinated response to the vulnerabilities.
Rapid7 detailed the findings in a new disclosure report, in which the firm said the SIGMA vulnerabilities were discovered by Darrel Heiland, Rapid7’s principal IoT (Internet of Things) researcher.
For context: Baxter’s SIGMA infusion pumps are commonly used in hospitals to deliver drugs and nutrition directly into a patient’s bloodstream. These are TCP/IP enabled machines designed to deliver data to healthcare providers to provide more efficient care.
The first of the vulnerabilities (tracked CVE–2022–26390) discovered by Rapid7 caused the pump to pass WiFi credentials to the battery pack when the latter was connected to the primary infusion pump and the infusion pump was powered on.
On the other hand, the second flaw (tracked to CVE–2022–26392) exposed a string formatting vulnerability in the “hostmessage” command when executing a Telnet session on the Baxter SIGMA WiFi battery firmware version 16.
The third vulnerability (tracked to CVE–2022–26393) was also a format string vulnerability in the D29 WiFi battery pack version 20 firmware, and the fourth (tracked to CVE–2022–26394) saw WiFi battery packs (versions 16, 17, and 20 D29) allow remote unauthenticated change of SIGMA GW IP address (used to configure server communication services for device operation).
All of these vulnerabilities have reportedly now been patched, but in a new disclosure report, Heiland clarified that even before the patches, the problems could not be exploited over the Internet or over long distances.
“The attacker must be at least within Wi-Fi range of the affected devices, and in some cases the attacker must have direct physical access.”
At the same time, a security expert warned that if an attacker could gain network access to a pump unit, they could use a single unverified packet to cause the unit to redirect all internal system communications to a host they control, allowing a potential man-at-heart attack ( MiTM).
“This could affect the accuracy of pump data sent for monitoring and recording, and could potentially be used to intercept drug library data updates on pumps — potentially dangerous.”
More information about the fixed SIGMA vulnerabilities, including various mitigation strategies, is available at Rapid7 disclosure report.
The paper comes months after research by 42 Palo Alto Networks found that most smart medical infusion pumps known security gaps making them vulnerable to hackers.