Internet connected medical devices have increasingly become commonplace. However, such devices could potentially be hacked by cybercriminals. New vulnerabilities uncovered by a security expert show that wireless syringe infusion pumps could be remotely accessed by hackers, who could also exploit the bugs to manipulate the operations of the device.
The US Industrial Control Systems (ICS) CERT has issued out an alert, which details that Medfusion 4000 wireless syringe infusion pumps, manufactured by Smiths Medical was found riddled with not one or two, but eight vulnerabilities. The flaws, which were uncovered by independent security researcher Scott Gayou, could potentially be exploited by hackers.
The affected syringe infusion pumps are used by healthcare professionals worldwide and are used to small doses of medication "in acute care settings," according to the ICS CERT's advisory. The syringe pumps are also used to deliver medication to critical care patients including neonatal and pediatric intensive care units as well as the operating room.
"Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump," the ICS CERT said in a statement. "Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment and specific clinical usage."
Smiths Medical is currently attempting to figure out a fix for the flaws and has vowed to release patches for the vulnerabilities in the new version of the device that is slated to be released in January next year.
Although Gayou has refrained from revealing much about the flaws, to avoid hackers exploiting the bugs before a patch is released, the vulnerabilities are considered to be critical. The flaws could potentially allow hackers to launch MITM (man-in-the-middle) attacks, automatically establish wireless network connection to the device, crash the communications and operational modules of the device and more.
Medical devices are now being increasingly targeted by hackers. Earlier in the month, the US FDA (Food and Drug Administration) warned that over 450,000 pacemakers were vulnerable to hacking.