{"id":9271,"date":"2017-09-13T09:10:03","date_gmt":"2017-09-13T17:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/13\/news-3044\/"},"modified":"2017-09-13T09:10:03","modified_gmt":"2017-09-13T17:10:03","slug":"news-3044","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/09\/13\/news-3044\/","title":{"rendered":"Multiple flaws found in smart syringe pump"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Wed, 13 Sep 2017 16:27:50 +0000<\/strong><\/p>\n

A syringe pump\u00a0is a small infusion pump that delivers liquids, either medication or nutrients, in small quantities into the patient’s system. Hospitals, nursing homes, and homes with residents\u00a0under acute or palliative care use them. Accurate and safe delivery of dosage from a variety of syringes make such a device essential. Unfortunately, a particular model of a wireless smart pump is found to be so vulnerable that a malicious, highly skilled attacker can compromise its communications and therapeutic modules, which in turn could also compromise\u00a0a patient’s well-being.<\/p>\n

Late last week, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an advisory for the Medfusion 4000 Wireless Syringe Infusion Pump<\/a> after Scott Gayou, an independent security researcher, brought to light multiple vulnerabilities in the device that can be exploited remotely.<\/p>\n

According to Gayou, the said syringe pump has problems with the way it processes data, which could then lead to either the unauthorized execution of code or a system crash. He also pointed out that several credentials are hard-coded to the pump, with some even accessible to anyone if the pump’s communication module is modified. Furthermore, the pump is incapable of validating certificates, making it a good candidate for MiTM attacks<\/a>, allowing threat actors to bypass any security measures in place and gain elevated privileges on it.<\/p>\n

Medfusion 4000 Wireless Syringe Infusion Pump versions 1.1, 1.5, and 1.6 are affected by these vulnerabilities.<\/p>\n

Smiths Medical, makers of the said smart pump, has announced that they’ll be releasing\u00a0version 1.6.1 of the product to address the vulnerabilities above. In the meantime, ICS-CERT has\u00a0advised users of the Medfusion 4000 syringe pump to take steps to lessen the possibility of exploitation. One advice\u00a0is to disconnect the pump from the internet altogether.<\/p>\n

Smiths Medical and\u00a0ICS-CERT provided\u00a0<\/span>more mitigation steps in this advisory<\/a>.<\/p>\n

 <\/p>\n

The Malwarebytes Labs Team<\/em><\/p>\n

The post Multiple flaws found in smart syringe pump<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Wed, 13 Sep 2017 16:27:50 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
As more life-saving medical devices are capable of connecting to the internet, the potential threat of malicious hacking leading to physical bodily harm becomes more real. An independent researcher recently found multiple vulnerabilities plaguing a particular syringe pump.\u00a0ICS-CERT offers several defensive measures.<\/p>\n

Categories: <\/p>\n