Rapid7 has discovered vulnerabilities in two of Baxter's TCP/IP-enabled medical devices: SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01) and SIGMA Wi-Fi Battery (Firmware Versions 16, 17, 20 D29).
Rapid7 said an attacker with physical access to an infusion pump could install a Wi-Fi battery unit and then quickly power-cycle the infusion pump and remove the Wi-Fi battery – allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse-engineered.
Also, since these battery units store Wi-Fi credentials in non-volatile memory, there is a risk that when the devices are de-acquisitioned and no efforts are made to overwrite the stored data, anyone acquiring these devices on the secondary market could gain access to critical Wi-Fi credentials of the organization that de-acquisitioned the devices.
Baxter has been working with Rapid7 on developing a response to the vulnerabilities.
"In support of our mission to save and sustain lives, Baxter takes product security seriously. We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process," the company said.
It assured that software updates to disable Telnet and FTP (CVE-2022-26392) and to address the format string attack (CVE-2022-26393) are addressed in WBM version 20D30 and all other WBM versions. Authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to erase all data and settings from WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator’s Manual and are available in the Baxter Security Bulletin.
This is not the first time this year that Baxter's infusion pumps have run into trouble. In February, the company issued a safety alert regarding upstream occlusion alarms for all Spectrum V8 and Spectrum IQ infusion pumps. Incorrect administration set setup and/or incomplete resolution of upstream occlusion alarms may result in reduced delivery or non-delivery of medication, in some cases without alerting the user via pump alarm, the company said.
At the time, Baxter said it had received 51 reports of serious injury and three reports of patient death over five years that may have resulted from incorrect administration set setup and/or incomplete resolution of upstream occlusion alarms.