Security Engineer Unearths Eight Security Flaws in Multiple Versions of Smith Medical's MedFusion 4000 Syringe Pump

 

Orange County, CA - September 13th 2017 -  Private researcher Scott Gayou, from Overland Park, Kansas currently working as a security engineer with Garmin International, has unearthed eight separate security flaws in three versions of the MedFusion 4000 syringe pump made by Smiths Medical, a division of the British multinational Smiths Group. These security flaws leave the syringe pumps vulnerable for remote AI hacks.

Syringe pumps, though tending to go unnoticed in a patients’ room, are some of the most crucial instruments in a hospital. They are used to deliver precise amounts of fluids to patients of all ages ranging from adults to newborn infants. Most notably, syringe pumps distribute anesthesia, drugs, blood, antibiotics, and other critical fluids needed over the course of the patients’ stay.

Gayou’s discovery pressed the Department of Homeland Security (DHS) to issue an advisory warning last week. In part, the warning reads, “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump.”

Security Engineer Unearths Eight Security Flaws in Multiple Versions of Smith Medical's MedFusion 4000 Syringe Pump

The pumps are expected to systematically deliver proper drug doses to patients after a given amount of time. These devices in working order– in hospitals with steadfast electricity for operation, as opposed to mechanical pumps used in developing countries– can administer drugs in miniscule, consistent amounts nearly impossible for human nurses to replicate. Vulnerabilities in these machines could lead to catastrophic consequences and need to be remedied immediately. In their statement, Smiths Medical pledged to release fixes in the compromised Medfusion 4000 Version 1.6.1 by January 2018. In the meantime, mitigation protocols have been released to advise healthcare facilities in instances of attack.

Another device recall occurring earlier in the year dealt with seven models of pacemakers from four different manufacturers. The US Food and Drug Administration (FDA) repossessed a total of 465,000 products due to researchers from White Scope, a security  firm located in California and Texas, exposing the potential for security hacks by commercially available software costing as little as $15.

As outlined by the FDA, extreme hacking scenarios can range from the reprogramming of medical devices to quickly drain battery power to modifying a patient’s heartbeat. The Medfusion 4000 syringe pump vulnerabilities drew a CVSS (Common Vulnerability Scoring System) score of 9.8/10. Luckily this severe risk was discovered before any harmful attacks were committed. Hopefully, this will serve as a warning to manufacturers to check meticulously for any future software susceptibility.

 

Contact Ampronix:

Increasing Breastfeeding Rates

Email: info@ampronix.com 

International Sales: +1 949-273-8000

Domestic Sales: 1800-400-7972 for US and Canada

Follow Us:

FacebookTwitterLinkedIn

Share This Article:

TwitterFacebookLinkedIn

View our Product Catalog Online Here

 

About Ampronix

Ampronix is a renowned authorized master distributor of the medical industry's top brands as well as a world class manufacturer of innovative technology. Since 1982, Ampronix has been dedicated to meeting the growing needs of the medical community with its extensive product knowledge, outstanding service, and state-of-the-art repair facility. Ampronix prides itself on its ability to offer tailored, one-stop solutions at a faster and more cost effective rate than other manufacturers. Ampronix is an ISO & ANSI/ESD certified facility. To learn more go here.

Security Engineer Unearths Eight Security Flaws in Multiple Versions of Smith Medical’s MedFusion 4000 Syringe Pump   Orange County, CA – September 13th 2017 –  Private researcher Scott Gayou, from Overland Park, Kansas currently working as a security engineer with Garmin International, has unearthed eight separate security flaws in three versions of the MedFusion 4000 syringe […]