Vulnerabilities on battery units for medical infusion pump devices made by Baxter could allow for network access, DoS and man-in-the-middle attacks, highlighting IoT security issues and the need to properly decommission equipment, security firm Rapid7 reports. A vulnerability found in an interaction between a Wi-Fi-enabled battery system and an infusion pump for the delivery of medication could provide bad actors with a method for stealing access to Wi-Fi networks used by healthcare organizations, according to Boston-based security firm Rapid7.The most serious issue involves Baxter International’s SIGMA Spectrum infusion pump and its associated Wi-Fi battery system, Rapid7 reported this week. The attack requires physical access to the infusion pump. The root of the problem is that the Spectrum battery units store Wi-Fi credential information on the device in non-volatile memory, which means that a bad actor could simply purchase a battery unit, connect it to the infusion pump, and quicky turn it on and off again to force the infusion pump to write Wi-Fi credentials to the battery’s memory.Batteries can contain Wi-Fi credentialsRapid7 added that the vulnerability carries the additional risk that discarded or resold batteries could also be acquired in order to harvest Wi-Fi credentials from the original organization, if that organization hadn’t been careful about wiping the batteries down before getting rid of them.The security firm also warned of additional vulnerabilities, including a telnet issue involving the “hostmessage” command which could be exploited to view data from the connected device’s process stack, and a similar format string vulnerability that could be used to read or write to memory on the device, or create a denial-of-service (DoS) attack. Finally, Rapid7 said, the battery units tested were also vulnerable to unauthenticated network reconfiguration attacks using TCP/UDP protocols. An attacker sending a specific XML command to a specific port on the device could change that device’s IP address, creating the possibility of man-in-the-middle attacks.The remediation for the first vulnerability, according to the security company, is simply to control physical access to the devices more carefully, since it cannot be exploited without manually connecting the battery to the infusion pump, and to carefully purge Wi-Fi information—by connecting the vulnerable batteries to a unit with invalid or blank —before reselling or otherwise disposing of the devices. For the telnet and TCP/UDP vulnerabilities, the solution is careful monitoring of network traffic for any unusual hosts connecting to the vulnerable port—51243—on the devices, and restricting access to network segments containing the infusion pumps. Baxter has also issued new software updates, which disable Telnet and FTP for the vulnerable devices.Proper decommissioning is key to securityTod Beardsley, Rapid7’s director of research, said that the finding emphasizes the importance of properly decomissioning equipment that could hold sensitive data, and that network managers have to be aware of the potential threat posed by vulnerable IoT devices.“Due diligence is necessary to ensure that IoT devices do not contain extractable sensitive information when they are discontinued within a particular organization,” he said. “Furthermore, network segmentation must be improved upon to collectively address IoT security disconnects.” Related content feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security brandpost Sponsored by Microsoft Security How Microsoft and Amazon are expanding the fight against international tech support fraud By partnering with other companies to share vital information and resources, Microsoft is taking the fight to ever-evolving support fraud in 2024…and beyond. By Microsoft Security Dec 05, 2023 1 min Security news analysis Russia's Fancy Bear launches mass credential collection campaigns The campaigns exploit Outlook and WinRAR flaws to target government, defense, and other entities, and they represent a change of tactic for the APT28 group. By Lucian Constantin Dec 05, 2023 5 mins Advanced Persistent Threats Critical Infrastructure Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe