Braun Patched Faulty IV Pump After McAfee Discovered Vulnerability Allowing Medication Tampering.
McAfee Enterprise’s Advanced Threat Research Team disclosed five unreported security vulnerabilities that existed in German healthcare giant B. Braun’s Infusomat Space Large Volume Pump and SpaceStation.
Researchers reported that hackers could use these vulnerabilities to change doses without authentication to access the device. For your information, these devices are used in adult and pediatric healthcare facilities to help doctors and nurses to avoid manual infusions. The study was conducted in collaboration with Culinda.
How the Vulnerability Affects The Pumps?
McAfee researchers revealed in their report that an attacker could exploit the flaw to change the way a pump is configured in standby mode, which can easily administer altered doses of medication to patients. It happens so because the pump’s operating system doesn’t check from where and whom it is receiving the command.
Hence, hackers could remotely exploit the device by gaining access to its internal system that regulates how a patient receives medication.
“Modification could appear as a device malfunction and be noticed only after a substantial amount of drug has been dispensed to a patient, since the infusion pump displays exactly what was prescribed, all while dispensing potentially lethal doses of medication,” researchers noted.
Watch the PoC of the attack
Braun Fixed the Issue
After discovering the vulnerabilities, McAfee researchers notified the German medical equipment maker on 11 January 2021. In a security advisory, B. Braun announced addressing the flaws in SpaceCorn L82 and later versions, Battery Pack SP with WiFi:L82 and later, and DataModule compactplus version A12 and later.
The good news is that B. Braun has fixed the issues. Nevertheless, the flaws would have let an attacker gain privilege escalation, access sensitive information, perform remote code execution, and upload arbitrary files. Here are the details of the vulnerabilities.
- CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
- CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)
- CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
- CVE-2021-33883 – Cleartext Transmission of Sensitive Information (CVSS 7.1)
- CVE-2021-33884 – Unrestricted Upload of File with Dangerous Type (CVSS 5.8)