Connect with us

Hi, what are you looking for?


Mobile & Wireless

Decommissioned Medical Infusion Pumps Expose Wi-Fi Configuration Data

Medical infusion pumps available via secondary market sources contain Wi-Fi configuration settings from the original organization.

Most medical infusion pumps sold via secondary market sources still contain Wi-Fi configuration settings from the original organization that deployed them, cybersecurity firm Rapid7 has discovered.

An analysis of 13 infusion pump devices revealed that wireless authentication data had not been purged from them prior to de-acquisition, exposing this data to third-parties purchasing these devices from secondary market sources, such as eBay.

Rapid7 analyzed three different infusion pump models, namely the Alaris PC 8015, the Baxter Sigma Spectrum model 35700BAX2 and associated Wireless Battery Module (WBM), and the Hospira Abbott PLUM A+ with MedNet.

No longer manufactured, these devices are still in use within numerous medical organizations worldwide, representing a potential security risk if data on them is not properly purged prior to decommissioning.

For their investigation, Rapid7’s security researchers attempted the extraction of sensitive data from devices’ compact flash cards, by observing serial communication, and by removing the flash memory chips from the main circuit boards.

On the Alaris 8015, the researchers discovered hostnames with domain information, AES keys for encryption, service set identifiers (SSIDs), the clear text Wi-Fi Pre Shared Keys (PSK) passphrase, credentials for Microsoft Active Directory authentication, and Wi-Fi configuration settings.

While there is no documentation regarding the data purge process for the Alaris 8015 decommissioning found online, Alaris did publish security service bulletins that are available for organizations having support contracts with Becton, Dickinson and Company (BD).

Advertisement. Scroll to continue reading.

Rapid7 also analyzed multiple Baxter Sigma Spectrum 35700BAX2 devices and associated Wireless Battery Module (WBM) and discovered that they too stored Wi-Fi configuration data, including the Wi-Fi Protected Access (WPA) passphrase converted to a 64-character hex key (PSK).

Baxter, the cybersecurity firm notes, does provide documentation detailing the steps that should be taken to reset wireless configurations and remove any other information from both the device and the WBM.

The Hospira Abbott PLUM A+ with MedNet too was found to store Wi-Fi configuration information, but, according to Rapid7, “no single procedure could be located that detailed the needed steps for removing all critical data such as PHI, and Wi-Fi configuration data in preparation of decommissioning.”

The equipment used for extracting data from these devices, Rapid7 notes, is relatively cheap, with an estimated price range of $250-$1,500, which makes it affordable for a wide range of threat actors.

“The discovery of this data on de-acquisitioned medical devices being sold on the secondary market points out a serious systemic issue. The only way to effectively resolve this issue is for organizations that leverage medical technologies to build out policies and processes for how to properly handle the acquisition and de-acquisition of medical technology,” Rapid7 notes.

Related: Rapid7 Flags Multiple Flaws in Sigma Spectrum Infusion Pumps

Related: Infusion Pumps Impacted by Years-Old Critical Vulnerabilities: Report

Related: FBI Warns of Unpatched and Outdated Medical Device Risks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.