On April 20, 2022, Rapid7 discovered vulnerabilities in two TCP/IP–enabled medical devices produced by Baxter Healthcare.
The flaws, four in total, affected the company’s SIGMA Spectrum Infusion Pump and SIGMA WiFi Battery.
Almost five months after Rapid7 first reported the issues to Baxter, the companies are now revealing they have worked together to discuss the impact, resolution and coordinated response for these vulnerabilities.
Rapid7 detailed the findings in a new disclosure report, where the firm said the SIGMA vulnerabilities were discovered by Deral Heiland, Rapid7’s principal IoT (Internet of Things) researcher.
For context, Baxter’s SIGMA infusion pumps are typically used by hospitals to deliver medication and nutrition directly into a patient’s circulatory system. These are TCP/IP–enabled machines designed to deliver data to healthcare providers to enable more effective care.
The first of the vulnerabilities (tracked CVE–2022–26390) discovered by Rapid7 caused the pump to transfer the WiFi credential to the battery unit when the latter was connected to the primary infusion pump and the infusion pump powered up.
The second flaw (tracked CVE–2022–26392), on the other hand, saw the exposure of the command 'hostmessage' to format string vulnerability when running a telnet session on the Baxter SIGMA WiFi battery firmware version 16.
The third vulnerability (tracked CVE–2022–26393) was also a format string vulnerability on WiFi battery software version 20 D29, and the fourth one (tracked CVE–2022–26394) saw WiFi battery units (versions 16, 17 and 20 D29) allowing remote unauthenticated changing of the SIGMA GW IP address (used for configuring the back–end communication services for the devices’ operation).
All these vulnerabilities have now reportedly been fixed, but in the new disclosure report, Heiland clarified that even before the patches were released, the issues could not have been exploited over the internet or at a great distance.
“An attacker would need to be within at least WiFi range of the affected devices, and in some cases, the attacker would need to have direct physical access.”
At the same time, the security expert warned that if an attacker could get network access to a pump unit, they could, with a single unauthenticated packet, cause the unit to redirect all back–end system communications to a host they control, allowing for a potential man in the middle (MiTM) attack.
“This could impact the accuracy of the pump data being sent for monitoring and recording purposes, and also potentially be used to intercept Drug library data updates to the pumps — which could potentially be dangerous.”
More information about the patched SIGMA vulnerabilities, including various mitigation strategies, is available in the Rapid7 disclosure report.
The document comes months after research by Palo Alto Networks’ Unit 42 suggested most smart medical infusion pumps have known security gaps that make them vulnerable to hackers.