Researchers at McAfee have discovered several vulnerabilities in the software of an infusion pump from manufacturer B.Braun. These vulnerabilities made it theoretically possible for an attacker to adjust the medication dose.
There are a total of five vulnerabilities. In a research paper, the researchers outlined the vulnerabilities and how they could manipulate the infusion pumps. The configuration of a pump could be modified via the five vulnerabilities when it is in standby mode. The moment the pump subsequently became active again, an increased dose could be given to a patient.
Taking advantage of the vulnerabilities, the researchers were able to upload files to the IV pump and manipulate the machine. This was only possible when the pump was switched off or on standby. When the infusion pump was active, nothing could be adjusted. This could happen because uploads to the system were not properly authenticated.
McAfee notified the manufacturer of the leak on January 11. In May, B.Braun released updates that fix the vulnerabilities. According to B.Braun, the vulnerabilities have not been actively used by attackers to manipulate IV pumps.