Vulnerable infusion pumps can be remotely accessed to change dosages

Critical Bug in Medical Infusion Pumps lets Attacker Remotely install Unauthorized Firmware to Change Medication Dosages.

Researchers at CyberMDX, a healthcare security firm, have identified two different vulnerabilities in Becton Dickinson Alaris Gateway Workstations (AGW) used by hospitals in medical infusion pumps. One of the bugs is so severe that it carries a critical rating of 10 on the CVSS v.3 severity scale.

The other bug is comparatively less severe and is found in the web-based management interface of the workstation.

The abovementioned workstations are manufactured by popular medical device maker Becton Dickinson. These flaws can be leveraged by an attacker remotely and without needing any authentication to gain full control of the infusion pump.

The bugs are the result of a flaw (tracked as CVE-2019-10959) in the device’s firmware code and exploiting these flaws, an attacker can easily hijack the device to disable it completely, install unauthorized firmware or malware, and report fake information. It is also possible that the attacker directly communicates with the pumps linked with the gateway to manipulate drug dosages and even change infusion rates, both of which are drastic scenarios.

A Becton Dickinson Alaris Gateway Workstation.

It is worth noting that no special privileges would be needed by the attacker to perform these tasks. So, without much ado, the attacker can play with the lives of patients by preventing life-saving treatment.T

his exploit can be carried out by anyone who gains access to the hospital’s internal network. Files transferred via the update are copied straight to the internal memory and allowed to override existing files, said researchers.

The Alaris Gateway Workstations can power, monitor, and control the medical use of infusion pumps. These devices are used in hospital ICUs and wards to dispense intended drugs automatically to a patient. These pumps are used to deliver a variety of medicines that require continuous dosing like insulin and painkillers.

In a majority of cases, multiple infusion pumps that are connected to a single medical gateway are in-use by the under-treatment patient to take different drugs. AGW is basically used to communicate with the infusion pumps as well as to power them during critical medical procedures such as blood transfusion, chemotherapy, anesthesia administration, and dialysis.

The fact cannot be ignored that infusion pumps are among the most commonly used kits in a hospital and their vulnerability can cause extreme trouble for the patients. These pumps are used for dispensing of life-saving medications and intravenous fluids, any unauthorized changes in which would certainly lead to life-threatening outcomes.

Furthermore, usually, these pumps are connected to a single, central monitoring station from where the concerned medical staff can check the administration of drugs and fluids to multiple patients simultaneously.

The flaws were tested independently and validated by CyberMDX, the U.S. Department of Homeland Security (DHS) and the vendor. CyberMDX researchers assessed the severity of the risk and stated it in the form of baseline Common Vulnerability Scoring System (CVSS) scores.

The Alaris Gateway firmware vulnerability had a CVSS risk score of 10.0, which means it is very critical. The Web Browser User Interface of the AGW flaw had a risk score of 7.3, which can be termed as high.

Researchers claim that by installing malicious firmware on the computer connected to the pump, an attacker can remotely brick it which would shut down the pump or make it go offline.

Moreover, creation of an attack kit is also quite easy but the attack chain is rather complex as it would involve multiple stages such as accessing the hospital network, obtaining the IP address of the workstation and managing to write custom malicious code, states the head of research at CyberMDX, Elad Luz.

Becton Dickinson suggests that device owners need to update to the latest firmware that contains fixes for these flaws.

Not for the first time

This is not the first time that researchers have identified life-threatening vulnerabilities in medical infusion pumps. Previously, Smiths Medical Syringe Infusion Pumps were plagued with high severity flaws allowing remote attackers to put patient’s life in danger.

Last year, during RSA 2018, a group of doctors demonstrated how anyone can hack a medicine pump and modify doses leading to overdosing of a particular medicine. The group also exposed critical vulnerabilities in pacemakers, insulin pumps and defibrillators leading to life threating consequences.