Breach Notification , Endpoint Security , Hardware / Chip-level Security
How Infusion Pump Security Flaws Can Mess with Drug DosingDouglas McKee of McAfee Enterprise Describes Vulnerabilities Found in B. Braun Devices
Five security vulnerabilities in commonly used infusion pump products from B. Braun Medical Inc. could collectively allow malicious actors to dangerously modify the dose of medicines delivered to patients, says Douglas McKee, a security researcher on a team at security vendor McAfee Enterprise, which recently discovered the flaws.
The vulnerabilities exist in both the B. Braun Infusomat Space large volume pump and the company's SpaceStation docking station, which are network-connected devices used in hospitals worldwide, McKee says in an interview with Information Security Media Group about his team's Aug. 24 research report.
The vulnerabilities include:
- Use of externally controlled format string;
- Insufficient verification of data authenticity;
- Missing authentication for critical function;
- Cleartext transmission of sensitive information;
- Unrestricted upload of file with dangerous type.
"The crux of the vulnerabilities … is what can be done when those [flaws are] combined," he says.
"Each vulnerability separately is not super interesting. But together, the vulnerabilities could allow a remote unauthenticated attack, where actors can access the device in an unintended manner and then … leverage the software on the device to let it do things it's not intended to do," he says.
That includes manipulating values in memory, resulting in the pump distributing more or less of the drug than what the device was intended to do, he says.
"And this is all done without alerting the medical staff or the IT staff. So the pump actually believes it administered the proper dose of medication."
B. Braun Statement
In a statement to ISMG about the McAfee Enterprise research findings, B. Braun says: "We have a robust vulnerability disclosure program and when potential vulnerabilities are discovered, our goal is to mitigate potential risks as quickly as possible."
B. Braun disclosed in May information to customers and the Health Information Sharing & Analysis Center that addressed the potential vulnerabilities raised in McAfee Enterprise’s report, "which were tied to a small number of devices utilizing older versions of B. Braun software," the statement says.
"Our disclosure included clear mitigation steps for impacted customers, including the instructions necessary to receive the patch to eliminate material vulnerabilities. We will continue to provide further security updates as necessary."
Recommended mitigations include segmenting the infusion pump devices on separate networks.
In the interview (see audio link below photo), McKee also discusses:
- Additional details about the security vulnerabilities identified in the pump products;
- The surge in ransomware incidents involving healthcare sector entities;
- Concerning cybersecurity issues involving legacy medical devices.
McKee is a principal engineer and senior security researcher for the McAfee Enterprise Advanced Threat Research team, focused on finding new vulnerabilities in both software and hardware. He has a background in vulnerability research, penetration testing, reverse engineering, malware analysis, and forensics and has provided software exploitation training to many audiences, including law enforcement officials.