Rapid7 has discovered vulnerabilities in two TCP/IP-enabled medical devices produced by Baxter Healthcare. The affected products are SIGMA Spectrum Infusion Pump (Firmware Version 8.00.01), and SIGMA WiFi Battery (Firmware Versions 16, 17, 20 D29).

Baxter's SIGMA Spectrum product is a commonly used brand of infusion pumps, which hospitals typically use to deliver medication and nutrition directly into a patient's circulatory system. These TCP/IP-enabled devices provide data to healthcare providers to enable more effective, coordinated care.

Rapid7 initially reported the issues to Baxter on April 20, 2022. The disclosed vulnerabilities were discovered by Deral Heiland, Principal IoT Researcher at Rapid7.

Since then, Rapid7's research team and Baxter have worked with each other to discuss the impact, resolution, and coordinated response for all discovered vulnerabilities. 

“Baxter is an exemplary medical technology company with an obvious commitment to patient and hospital safety. While med-tech vulnerabilities can be tricky and expensive to work through, we're quite pleased with the responsiveness, transparency, and genuine interest shown by Baxter's product security teams,” says Rapid7. 

“In all cases, these issues could not have been exploited over the internet, or otherwise from a distance. An attacker would need to be within at least WiFi range of the affected devices. And in some cases, the attacker would need to have direct, physical access. So, while these issues don't rate as critically high severity, Baxter nonetheless took these findings seriously and worked out mitigations appropriately, putting patient health first," adds Rapid7.

Baxter, on its part, also issued a statement.

“In support of our mission to save and sustain lives, Baxter takes product security seriously. We are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process,” says the company. 

“Software updates to disable Telnet and FTP (CVE-2022-26392) are in process. Software updates to address the format string attack (CVE-2022-26393) are addressed in WBM version 20D30 and all other WBM versions.”

“Authentication is already available in Spectrum IQ (CVE-2022-26394). Instructions to erase all data and settings from WBMs and pumps before decommissioning and transferring to other facilities (CVE-2022-26390) are in process for incorporation into the Spectrum Operator’s Manual and are available in the Baxter Security Bulletin."

Meanwhile, discussing the discovered vulnerabilities in more detail, Rapid7 adds, “The biggest risk is that the WiFi/battery unit stores the WiFi credentials (WPA PSK) from the last infusion pump unit it was connected to. The pump's factory reset feature [this is being fixed by Baxter] does not purge the credentials data from the WiFi/battery. So, if the WiFi/batteries are sold on secondary market during de-acquisition, then anyone purchasing those units could extract the data.”

In the case of the pumps, Rapid7 adds, "If an attacker could get network access to a pump unit, they could with a single unauthenticated packet, cause the unit to redirect all back-end system communications to a host they control. This will allow for a potential Man in the Middle attack. This could also impact the accuracy of the pump data being sent for monitoring and recording purposes. This could also be potentially used to intercept drug library data updates to the pumps, which could potentially be dangerous."