Researchers found security vulnerabilities in Baxter’s Sigma Spectrum infusion pumps and several versions of its associated WiFi batteries that could be exploited to facilitate credential leakage. This has concerned users about the potential leak of their medical data.
Earlier this April, cybersecurity software firm Rapid7 found two vulnerabilities in TCP/IP–enabled medical devices by Baxter Healthcare. The company discovered four flaws that could leak information about specified doses of medications, blood, and other fluids via infusion tubes to patients in healthcare settings.
On September 8th, 2022, company researchers made the security flaw public and raised security concerns over the use of Baxter products and their safety. The lack of an encryption protocol seemed to be the major flaw in the products, reported Fierce Biotech.
Baxter infusion pumps’ vulnerability explained
The lack of encryption is one of the significant weak points in Baxter infusion pumps, Rapid7 stated. Due to their inability to mask readable data, the hackers could easily access information related to patient health and local WiFi network passwords.
Moreover, Baxter infusion pumps do not require any authentication from the users, which allows them to connect to gateway servers — thus giving the hackers a chance to interfere with the device’s network connection.
The vulnerability could allow hackers to exploit the pumps’ wireless battery modules to get into the system’s memory, obtain confidential patient data, or modify a device’s settings. Since these battery modules function wirelessly — hackers can deliver remote commands using application messaging.
Baxter infusion pumps’ can be exploited remotely
The U.S.-based Cybersecurity and Infrastructure Security Agency (CISA) scored Baxter infusion pumps with a software defect rating of 5.5, indicating a “medium” danger on the vulnerability ranking system.
However, despite the open flaw, which hackers could have already exploited, the agency pointed out that there were no known publicly accessible exploits that expressly targeted the defects.
Since the news about the vulnerabilities, several software patches have been released. And Baxter is working with cybersecurity companies to fix the issues. The business was also rewriting the system’s documentation to include instructions for entirely wiping off all data and settings from the infusion pumps’ batteries before they are retired and moved to other sites.