Medical device vulnerability could let hackers steal Wi-Fi credentials

A vulnerability found in an interaction between a Wi-Fi-enabled battery system and an infusion pump for the delivery of medication could provide bad actors with a method for stealing access to Wi-Fi networks used by healthcare organizations, according to Boston-based security firm Rapid7.

The most serious issue involves Baxter International’s SIGMA Spectrum infusion pump and its associated Wi-Fi battery system, Rapid7 reported this week. The attack requires physical access to the infusion pump. The root of the problem is that the Spectrum battery units store Wi-Fi credential information on the device in non-volatile memory, which means that a bad actor could simply purchase a battery unit, connect it to the infusion pump, and quicky turn it on and off again to force the infusion pump to write Wi-Fi credentials to the battery’s memory.

Batteries can contain Wi-Fi credentials

Rapid7 added that the vulnerability carries the additional risk that discarded or resold batteries could also be acquired in order to harvest Wi-Fi credentials from the original organization, if that organization hadn’t been careful about wiping the batteries down before getting rid of them.

The security firm also warned of additional vulnerabilities, including a telnet issue involving the “hostmessage” command which could be exploited to view data from the connected device’s process stack, and a similar format string vulnerability that could be used to read or write to memory on the device, or create a denial-of-service (DoS) attack.

Finally, Rapid7 said, the battery units tested were also vulnerable to unauthenticated network reconfiguration attacks using TCP/UDP protocols. An attacker sending a specific XML command to a specific port on the device could change that device’s IP address, creating the possibility of man-in-the-middle attacks.

The remediation for the first vulnerability, according to the security company, is simply to control physical access to the devices more carefully, since it cannot be exploited without manually connecting the battery to the infusion pump, and to carefully purge Wi-Fi information—by connecting the vulnerable batteries to a unit with invalid or blank —before reselling or otherwise disposing of the devices.

For the telnet and TCP/UDP vulnerabilities, the solution is careful monitoring of network traffic for any unusual hosts connecting to the vulnerable port—51243—on the devices, and restricting access to network segments containing the infusion pumps. Baxter has also issued new software updates, which disable Telnet and FTP for the vulnerable devices.

Proper decommissioning is key to security

Tod Beardsley, Rapid7’s director of research, said that the finding emphasizes the importance of properly decomissioning equipment that could hold sensitive data, and that network managers have to be aware of the potential threat posed by vulnerable IoT devices.

“Due diligence is necessary to ensure that IoT devices do not contain extractable sensitive information when they are discontinued within a particular organization,” he said. “Furthermore, network segmentation must be improved upon to collectively address IoT security disconnects.”