Minnesota-based speciality medical device manufacturer Smiths Medical is working to address several potentially serious vulnerabilities affecting some of the company’s wireless syringe infusion pumps.
According to an advisory published on Thursday by ICS-CERT, Smiths Medical’s Medfusion 4000 wireless syringe infusion pumps, which are used worldwide to deliver small doses of medication from a syringe in acute care settings, are affected by eight vulnerabilities that can be exploited remotely.
The flaws, discovered by independent researcher Scott Gayou, affect products running versions 1.1, 1.5 and 1.6 of the firmware. The vendor has promised to patch the weaknesses with the release of version 1.6.1 in January 2018, and in the meantime it recommends applying a series of defensive measures.
Only few details have been made public about each vulnerability in order to prevent exploitation, but ICS-CERT’s advisory shows that several of the flaws are considered critical or high severity.
“Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” ICS-CERT warned.
The most serious security hole, tracked as CVE-2017-12725 with a CVSS score of 9.8, is related to the use of hardcoded credentials to automatically establish a wireless network connection if the default configuration is not changed.
Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference
The list of high severity vulnerabilities includes a buffer overflow that can be exploited for code execution in certain conditions (CVE-2017-12718), the lack of authentication and the presence of hardcoded credentials for the device’s FTP server (CVE-2017-12720 and CVE-2017-12724), and the lack of proper host certificate validation (CVE-2017-12721), which exposes the pump to man-in-the-middle (MitM) attacks.
The remaining flaws have been classified as having medium severity and they allow an attacker to crash the device’s communications module (without impacting the therapeutic module), authenticate to telnet via hardcoded credentials, and obtain passwords from configuration files.
Until patches are released, the vendor has advised customers to assign static IP addresses to pumps, monitor network activity for malicious DNS and DHCP servers, install the device on isolated networks, set strong and unique passwords, and regularly create backups.
Additionally, ICS-CERT recommends disabling the FTP server, closing unused ports, monitoring network traffic going to the pump, placing devices behind firewalls, and even temporarily disconnecting the pump from the network until patches become available.
Related: A Fact Check on Medical Device Security
Related: St. Jude Medical Recalls 465,000 Pacemakers Over Security Vulnerabilities

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
