Wireless Syringe Infusion Pumps are used to deliver small doses of medicines from a syringe in acute care settings. The pumps can accurately deliver medication in neonates, pediatric intensive care units, and operating rooms.
Wireless Syringe Infusion Pumps are used to deliver small doses of medicines from a syringe in acute care settings. The pumps can accurately deliver medication in neonates, pediatric intensive care units, and operating rooms. The specialty medical equipments manufactured by leading firm "Smiths Medical" have been found vulnerable and exploitable remotely by hackers. This can in turn affect the intended operations of the device. The devices in the picture are the 'Medfusion 4000 Wireless' Syringe Infusion Pumps. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) which works to reduce cyber risks in collaboration with law enforcement agencies, issued an advisory reporting vulnerability in the medical devices. The company upon notification has promised to release patches for the flaws in the next version of the device set to be released in January 2018. The flaws were found in version 1.1, 1.5, 1.6 of the firmware. The most critical of all security holes is the CVE-2017-12725 which can establish wireless network connection unless the default configuration is changed and a buffer overflow flaw tracked as CVE-1017-12718. The major flaws are a lack of Authentication and hard-coded credentials for the FTP services tracked as CVE-2017-12720 and CVE-2017-12724 and a lack of Proper Host Certification Authentication tracked as CVE-1017-12721. Medium security vulnerabilities, let the attacker crash the communication module and authenticate to telnet through hard coded credentials and access passwords by exploiting configuration files. The firm, Smith Medical has advised users to assign static IP addresses to the device, set strong passwords, create backups and install the devices on isolated networks only until the security patch is released. ICS-CERT on the other hand has suggested that the FTP servers be disabled, unused ports be closed and traffic to the pump be monitored closely.Interestingly, this is the second case of compromised medical equipment in less than a month. Recently, nearly 400,000 pacemakers were recalled after being found vulnerable to cyber attacks. As medical equipments are increasingly digitized so are the hacking risks relating to them. Interestingly, this is the second case of compromised medical equipment in less than a month. Recently, nearly 400,000 pacemakers were recalled after being found vulnerable to cyber attacks. As medical equipments are increasingly digitized so are the hacking risks relating to them.