Baxter, B. Braun infusion pumps among millions of devices implicated in Ripple20 cyber alert
- Israeli research lab JSOF has discovered multiple cybersecurity vulnerabilities impacting hundreds of millions of Internet of Things (IoT) devices across a wide range of industries, including medtech. The risks from the security loopholes, dubbed Ripple20, are high and could allow hackers to take control of infusion pumps remotely and alter medication dosages, according to an example given by the lab.
- The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an advisory last week saying it was aware of Ripple20 and warned that “a remote attacker can exploit some of these vulnerabilities to take control of an affected system.” CISA’s advisory listed medtechs Baxter, B. Braun, and medical imaging company Carestream as being “affected” by the security loopholes. Medtronic and Philips appeared as “not affected” on the list.
- While Carestream was not immediately available for comment, Baxter and B. Braun each shared written statements with MedTech Dive calling the vulnerabilities low risk and manageable.
The Ripple20 vulnerabilities identified by JSOF were discovered in code offered by Ohio-based third party software company Treck, which serves a large number of IoT device manufacturers. The issues stem specifically from Treck’s software library, which has been widely disseminated.
“Affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being of vulnerable in medical, transportation, industrial control, enterprise, energy (oil/gas), telecom, retail and commerce, and other industries,” according to JSOF, a cybersecurity firm that says it caters to big corporations.
Nick Yuran, CEO of cybersecurity consultancy Harbor Labs in Baltimore, says his firm is actively following the Ripple20 vulnerabilities and issued a rare security alert to all of its clients, including infusion pump customers, urging them to inspect their systems and confirm whether they employ the Treck stack.
“In the most severe cases, an attacker may perform remote code execution, which gives the attacker complete control of the device,” Yuran said. “We are advising our clients to take Ripple20 very seriously.”
While cyber experts are raising the red flag about the potential for hackers to exploit the Ripple20 vulnerabilities, Baxter downplayed the potential threat to its infusion pumps and contends that hospitals can continue to use the company’s systems safely.
“We were recently notified of the vulnerabilities, which affect software licensed from a third-party that is used in wireless battery modules for our infusion system. Our assessment showed the vulnerabilities to be low-risk or ‘controlled,’ as defined by the FDA’s cybersecurity guidance,” a Baxter spokesperson said in a statement to MedTech Dive, adding that the company has provided customers with actions to further secure the devices.
Likewise, B. Braun issued a communication to its customers informing them that the Treck third-party software is used in the company’s Outlook 400ES Safety Infusion Pump System, the only product in its portfolio that uses the vulnerable source code.
B. Braun said in a written statement that the company received 24 patches from Treck to fix the vulnerabilities but only four of them were applicable to the platform in question. “The four remaining patches continue to be analyzed to determine the scope, severity, and impact of each vulnerability.” B. Braun said it’s working with CISA, DHS and Treck on a vulnerability analysis of the software.
Chris Gates, principal security architect at Houston-based medical device engineering firm Velentium, said Ripple20 is the latest example of vulnerabilities in third-party software components impacting medtech over the past 12 months, including Urgent/11 and Swyentooth.
“Neither the manufacturer nor the user typically has any idea whether the devices they have in their facility are subject to newly discovered vulnerabilities like these and their associated risks,” Gates told MedTech Dive.
Cyber experts also worry that the chaos of the coronavirus pandemic has created the perfect storm for hackers to exploit these kinds of security vulnerabilities in medical devices as hospitals and healthcare systems are inundated with COVID-19 patients.