Braun’s Infusomat Space Large Volume Pump and SpaceStation had serious security vulnerabilities which could be abused by threat actors to alter medication doses without any prior authentication.
Cybersecurity researchers at McAfee have discovered and disclosed five previously unreported security vulnerabilities in the B.Braun Infusomat Pumps.
The researchers have reported the flaws to the German medical and pharmaceutical device company on January 11, 2021. They stated that the “modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication.”
The issues have been addressed by B. Braun in SpaceCom L82 or later, Battery Pack SP with WiFi:L82 or later, and DataModule compactplus version A12 or later.
Infusion pumps are medical devices that are used to deliver intravenous fluids, such as nutrients and medications, into a patient’s body in controlled amounts. SpaceStation is a configurable docking and communication system designed to accommodate up to four infusion pumps for use in a medical facility.
The devices run on a software component called SpaceCom, an embedded Linux system that runs either on the pump from within its smart battery pack or from inside the SpaceStation.
The flaws that were identified could allow an attacker to escalate privileges, view sensitive information, upload arbitrary files, and perform remote code execution.
- CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
- CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)
- CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
- CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
- CVE-2021-33884 – Unrestricted Upload of File with Dangerous Type (CVSS 5.8)
By exploiting the vulnerabilities, an attacker could modify a pump’s configuration while the pump is in standby mode, resulting in an unexpected dose of medication being delivered to a patient on its next use – all without any authentication.
It is possible for an attacker to send commands or data to the pump’s operating system, thereby facilitating remote attacks that not only go undetected but also weaponize the device by altering the amount of medication a patient is expected to receive through infusion.
However, the attacks will be successful only when a pump is idle or in standby mode in between infusions, and that the threat actor must first gain an initial foothold to the local network, or potentially carry out the intrusions over the internet in the event the pumps are directly exposed.
Braun stated in an advisory that all facilities utilizing SpaceCom, Battery Pack SP with WiFi, and DataModule compactplus should review their IT infrastructure to ensure that a network zone concept has been implemented whereby critical systems, such as infusion pumps, are housed in separate (e.g., by firewalls or VLAN) environments which are not accessible directly from the internet or by unauthorized users.
The company also stated that wireless networks should be implemented using multi-factor authentication and industry standard encryption and should be equipped with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS).