Most medical infusion pumps sold via secondary market sources still contain Wi-Fi configuration settings from the original organization that deployed them, cybersecurity firm Rapid7 has discovered.
An analysis of 13 infusion pump devices revealed that wireless authentication data had not been purged from them prior to de-acquisition, exposing this data to third-parties purchasing these devices from secondary market sources, such as eBay.
Rapid7 analyzed three different infusion pump models, namely the Alaris PC 8015, the Baxter Sigma Spectrum model 35700BAX2 and associated Wireless Battery Module (WBM), and the Hospira Abbott PLUM A+ with MedNet.
No longer manufactured, these devices are still in use within numerous medical organizations worldwide, representing a potential security risk if data on them is not properly purged prior to decommissioning.
For their investigation, Rapid7’s security researchers attempted the extraction of sensitive data from devices’ compact flash cards, by observing serial communication, and by removing the flash memory chips from the main circuit boards.
On the Alaris 8015, the researchers discovered hostnames with domain information, AES keys for encryption, service set identifiers (SSIDs), the clear text Wi-Fi Pre Shared Keys (PSK) passphrase, credentials for Microsoft Active Directory authentication, and Wi-Fi configuration settings.
While there is no documentation regarding the data purge process for the Alaris 8015 decommissioning found online, Alaris did publish security service bulletins that are available for organizations having support contracts with Becton, Dickinson and Company (BD).
Rapid7 also analyzed multiple Baxter Sigma Spectrum 35700BAX2 devices and associated Wireless Battery Module (WBM) and discovered that they too stored Wi-Fi configuration data, including the Wi-Fi Protected Access (WPA) passphrase converted to a 64-character hex key (PSK).
Baxter, the cybersecurity firm notes, does provide documentation detailing the steps that should be taken to reset wireless configurations and remove any other information from both the device and the WBM.
The Hospira Abbott PLUM A+ with MedNet too was found to store Wi-Fi configuration information, but, according to Rapid7, “no single procedure could be located that detailed the needed steps for removing all critical data such as PHI, and Wi-Fi configuration data in preparation of decommissioning.”
The equipment used for extracting data from these devices, Rapid7 notes, is relatively cheap, with an estimated price range of $250-$1,500, which makes it affordable for a wide range of threat actors.
“The discovery of this data on de-acquisitioned medical devices being sold on the secondary market points out a serious systemic issue. The only way to effectively resolve this issue is for organizations that leverage medical technologies to build out policies and processes for how to properly handle the acquisition and de-acquisition of medical technology,” Rapid7 notes.