Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices

The U.S. Department of Homeland Security (DHS) has issued a warning about vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. The vulnerabilities could potentially be exploited by hackers to alter the performance of the devices.

Smiths Medical Medfusion 4000 devices are used to deliver small doses of medication and are used throughout the United States and around the world in acute care settings. Eight vulnerabilities have been identified in three versions of the wireless syringe infusion pumps (V1.1, v1.5 and v1.6), with CVSS v3 scores ranging from 3.7 to 8.1. The vulnerabilities could be exploited remotely, potentially causing harm to patients. Hackers could also exploit the vulnerabilities to gain access to other healthcare IT systems if the devices are not segmented on the network.

DHS says the impact to organizations depends on several factors, based on specific clinical usage and hospital’s operational environments. Six of the vulnerabilities relate to hard-coded passwords/credentials, certificate validation issues, and authentication gaps which could allow hackers to gain access to the devices. The other two vulnerabilities involve third-party components, although those vulnerabilities would be much harder to exploit.

Smiths Medical has reassured healthcare organizations that while the vulnerabilities could potentially be exploited, in a clinical setting this would be highly unlikely, explaining the exploit “requires a complex and an unlikely series of conditions.” Attackers would also require a high skill level to exploit the vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. ICS-CERT says there are no publicly known exploits targeting the vulnerabilities.

Smiths Medical has been working closely with DHS and will resolve the flaws, although the Plymouth, MN-based medical device manufacturer will not do so until the release of Medfusion 4000 v1.6.1 in January 2018.

In the meantime, healthcare organizations using vulnerable versions of the devices have been advised by Smiths Medical to take steps to reduce risk. Those steps include:

  • Assigning static IP addresses to the infusing pumps
  • Monitoring network activity for rogue DNS and DHCP servers
  • Ensuring network segments are installed and the devices are segregated from other parts of hospital networks. Hospitals have been advised to consider network micro segregation
  • Using network virtual local area networks (VLANs) for the segmentation
  • Adopting password best practices, such as setting strong passwords and not re-using passwords
  • Performing routine backups and evaluations.

ICS-CERT recommends disconnecting the devices from the network until the product fix is applied, although this would require the drug library to be updated manually on all devices.

ICS-CERT also recommends:

  • Closing Port 20/FTP, Port 21/FTP, and Port 23/Telnet if the devices need to be networked
  • Disabling the FTP server on the pumps
  • Closing all unused ports
  • Monitoring and logging all network traffic attempting to reach the affected products, including attempts on closed ports
  • Locating the devices behind firewalls
  • Using VPNs to connect to the devices if remote access is required, and to ensure the latest version of VPNs are installed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.