McAfee Mcafee Enterprise publishes the vulnerability of B.Braun's infusion pump (technical article)

Overview The confirmation infusion pump of the background is an existing security countermeasure status project Motivation Description Spacecom Function and Software Component Attack of Attack Scenario Purpose Initial Access Police Promotion Crossing System Understand important dataPrerequisites of attack DEMO infusion pump Hacking of the Hacking Pump Reason for Changing TUBE_HEADVOLUME Surgery at a hospital and over -injected drugs Frequently dropped holes Patching All designs for safety are reliable.Status connected to Wi-Fi CVE: CVE-2021-33882 CVE: CVE-2021-33883 CVE: CVE-2021-33884 CVE: CVE-2021-33885 CVE: CVE: CVE: CVE: CVE:CVE-2021-33886

Overview

 As part of the continuous goal of providing a safe product without security problems to companies and consumers, the McAfee Enterprise's Advanced Threat Research (ATR) team has recently been used in adult and pediatric medical facilities.We investigated B.Braun's medical devices, "Infusomat Space Large Volume Pump" and "SpaceStation".The survey was conducted with the support of Culinda, a reliable leader in the medical cyber security field.As a result of this partnership survey, five vulnerabilities on medical systems that have not been reported so far have been discovered.

1.cve-2021-33886-Use of external control format string (CVSS 8.1) 2.Cve-2021-33885-Inadequate data reliability (CVSS 9.7) 3.cve-2021-33882-ImportantFunction authentication deficiency (CVSS 8.2) 4.cve-2021-33883-Clear text transmission of confidential information (CVSS 7.1) 5.cve-2021-33884- Unlimited upload of dangerous type files (CVSS 5.4)

 At the same time, these vulnerabilities may be used by malicious attackers to change the configuration of the pump in the pump standby mode, and as a result, an unexpected amount of drugs in the next use is a patient.It will be distributed.All are done without authentication.

 In accordance with McAfee's vulnerability disclosure policy, the first survey was reported to B. Brown on January 11, 2021.Shortly thereafter, while working on the recruitment of the easing measures, which was outlined in the disclosure report, they responded and began continuous dialogue with ATR.

 This white paper aims to deal with the unique issues facing the medical industry and to introduce the most important outline and technical details of the attack chain.For an overview, please see this summary blog.

Check the background

 The most important part of the product evaluation is to fully understand the purpose and functions of the product to be tested.Without this, it is undeniable that research could produce meaningless results.Therefore, this survey first checked for infusion pumps and what security measures were being taken.

What is an infusion pump?

 Starting from the basics using reliable resources - FDA.GOV states that "the infusion pump is a medical device that supplies liquids such as nutrients and drugs to the patient's body." FDA also explains that they are usually used by "users who have been trained to program the rate and period." The infusion pump is from the simple one in which a single vein (IV) drug is administered in the home environment, and the complexity of administering multiple drugs simultaneously in the ICU settings. From the 1960s to 2000, the infusion pump was an electrical machine device that mainly incorporated several electronic devices, but with the advancement of technology, the better safety mechanism and the possibility of programming them. We provided a "smarter" device and slowly opened the door to information security issues. See Infusomat® Space® Large Volume Pump (Fig. 1), a specific product we chose to consider, it turns out that this pump is dedicated to the medical environment and is not designed for home users. increase. Inject pumps are mainly to eliminate the need to execute manual injection. This requires a dose conversion per minute and a visual count of droplets to set a low -time reliable speed. It is estimated that more than 200 million infusions are being performed around the world every year, and the sales of infusion pumps in the United States in 2020 were $ 13.5 billion. Obviously, the infusion pump has established its status in the medical world.

Figure 1: B.BRAUN INFUSOMAT Pump

Existing security measures status

 The infusion pump occupies a very large part of the medical field, and there are several different types, so it is reasonable to expect that our team does not first ask for these security. As expected, there were many different research projects about injection pumps over the years. Probably the most famous research was published in Blackhat in 2018 by Billy RIOS and Johnathan Butts. The infusion pumps of their research focused on Medtronic Insulin Pump. They discovered that the function of issuing clear text traffic and replay attacks could remotely administer additional insulin to patients. In an earlier stage, research on HOSPIRA SYMBIQ Infusion Pump was published in 2015 and needed authentication, but it is possible to change drug library files by "unexpected operations" and increase the amount of administration. It was shown.

 Of course, the most important questions remain for our purpose -Is there any previous research on this specific device?At first, the answer was no.However, among our research projects, MANIMED, a very large study of survey of the security of network -connected medical devices, manufactured or used in its own country with the support of German authorities.It was released.This included research conducted by B.BRAUN's Infusomat pump.This is a wonderful research study that covers many devices connected to the network, referring to this survey and explains the results of this document if necessary.In addition, we will investigate the enhancement of this survey and show new attacks that were previously called impossible.

Project motivation

 Considering the background section first, it is clear that there are still many important research in this field. The infusion pump is a field that has been prominently developed in the field of medical devices, and the research so far has been superficial. Due to the potential impact and the security of medical devices, many previous projects did not need to delve deeper to find security issues and concerns. In the infusion pump industry, there are many devices that have not been conducted publicly, and even if they are investigated, many of them have only received rough analysis from the information security community. For these reasons, we decided to investigate B.Braun, one of the largest infusion pump vendors. In particular, we will focus on one of the devices used around the world and analyze it with an unprecedented depth. I wanted to work on all aspects of this pump and check the basic questions. As a realistic scenario, it is the question of whether malicious attackers can affect the lives of those who use this product, taking advantage of existing security vulnerabilities.

System description

 In this research project, the system consisted of three major components. B.BRAUNINFUSOMAT Large -capacity pump model 871305U (actual infusion pump), SpaceStation model 8713142U (docking station holding up to four pumps), and software components called Spacecom version. 012U000050. The software for these models and the B.Braun Infusomat system was released in 2017. In industries such as home appliances, this is considered to have been abolished, so the relevance to research is low. However, as mentioned above, it is not the case in the medical field. Older devices are still widely used, and they are probably developed without much security, so the importance of investigating them is increasing. About the deudeliation

Spacecom is an built -in Linux system and can be executed on a pump from a smart battery pack or from Spacestation.However, when the pump is connected to the spacestation, the pump Spacecom is invalidated.Most surveys were conducted using pumps connected to Spacestation, as this was the most common example of use.If Spacestation is at risk, it may affect multiple pumps at once.Spacecom functions as an external communication module of the system and is separated from the internal operation of the pump, regardless of where the pump is running.

 If the pump connected to the Spacestation is regarded as a single system, there are three separate operating systems running in three different chipsets. Spacecom runs in SpaceStation runs a standard version of Linux on the PowerPC chipset. SpaceStation's WiFi module also runs a standard version of Linux on the ARM chipset and communicates with Spacecom via a PCI bus. Finally, the pump runs its own custom real -time operating system (RTOS) and firmware on the M32C micro controller. An additional microcontroller is used to monitor the M32C microcontroller, which is beyond our research. Designed by this module type requires a Spacecom communication module and a dedicated path for data exchange. This will be solved through a CAN bus shared throughout SpaceStation, and will be able to communicate between pumps and accessories with each other. This depends on the replacement of the pumps docked on Spacecom and Space Station. The following architectural diagram helps to show the system layout and design when there is a pump at the docking station.

Figure 2: System architecture

Spacecom functions and software components

 Spacecom contains a variety of appropriate software and applications to support many functions of big B. Brown and medical facilities.Our team spent a lot of time to analyze each in detail.However, this white paper only mentions the key components that are important for the most important surveys mentioned in the opening summary.

 An important feature of Spacecom is that the drug library and pump configuration stored in the pump can be updated. The drug library includes a list of drugs set in advance in the ward, department, default concentration, information messages printed on the screen at the time of selection, and more importantly, software restrictions and hardware restrictions to prevent medication mistakes. Includes information. One of the largest sales points of a smart injection pump is the ability to prevent the drug from incorrect administration. This is partially executed by the restriction of the drug library. Another risk that drag libraries can be reduced are human errors. By programming the most general dosage and injection length as a pump, it eliminates the rates calculation and the above -mentioned drop count related to manual injection therapy.

 Pump RTOS contains a database of more than 1500 keys and values used during operation.This data consists of all the current components, battery life, motor speed, alarm, and tube calibration.Therefore, this data is considered to be very confidential in the context of the pump operation, not intended to interact directly with the user, and is not presented to the user.The key subset can be changed indirectly by certified engineers via a dedicated service software.

 The appropriate binary called PCS is used to operate both the drug library and the pump configuration with the Spacecom pump.The PCS binary uses a canon binary to interface with a canon bus, and sends a command to read and write a value based on the provided drug library or pump configuration to the pump system.The main interface for running this task is via the appropriate TCP network protocol, and by default, it is transmitted through port 1500.The protocol was neither authenticated nor encrypted, and surveyed and attacked significantly to these weaknesses.Furthermore, as described in the above summary, CVE-2021-33882 and CVE-2021-33883 have been submitted.

Details of critical attack scenarios

The purpose of the attack

 What is the purpose of malicious attackers?Realistically, most attacks have proved to be a financial motivation.When this is converted to an infusion pump, the problem is as follows.Does medical professionals pay a large amount of expenses without hesitation?Looking at recent events, in May 2021, Colonial Pipeline paid $ 4.4 million to hackers and re -operated oil pipelines from ransomware attacks.

 Regarding the increase in attacks on medical sites, the FBI estimates that cyber attacks using Ryuk ransomware have $ 61 million in the 21 months of 2018 and 2019. Attacks are currently showing the possibility of harm to patients in an example of October 28, 2020. Vermont University Health Network is part of a larger coordination attack on multiple US medical care, and as a result, the electronic medical record system has been completely lost for several weeks. As a result of ransomware -based attacks, 75 % of active chemotherapy patients were rejected, changing ambulance routes, and delayed inspections and treatments. Considering that the IV pump directly supports human life, it suggests that the attacker may demand the "ransom" amount using the actual threat to the patient. Is easy. Therefore, to achieve this, the attacker needs to control the pump operation.

 As mentioned above, this task is not as simple as the mouth when considering the design of the pump.You can see that the conventional "route acquisition" of the network component (Spacecom) is ineffective.In order to make changes to the pump itself, the attacker must interact with the RTOS of the pump that is not connected to the network.This section explains how to use the five reported CVEs to achieve this goal.

Initial access

 Gaining route access at Spacecom does not provide everything you need to achieve your final goal, but it is still the first step. During the reconnaissance of the system, I found a remote interface that was won in https: // {iPaddress}/ RPC. This interface was connected to a general open source service called "JSON-DBUS-BRIDGE". As described on GitHub, this service is "Fast-CGI application that provides access to D-BUS. Accept json-RPC calls and convert these to D-bus calls. All responses are json. It is converted to client and sent to the client. "Because external access to the D-BUS subsystem may provide access to internal communication with different levels of security from ordinary external networks. Was inspired by our interests.

 When investigating all kinds of vulnerabilities, security evaluation, or evaluation of products, it is important to remember to search for existing issues for third -party components.This is even more important because we are working on software released in 2017.While scrutinizing the JSON-DBUS-BRIDGE GitHub page, I noticed the vulnerability of the format string that applied the patch in 2015.Of course, I had to test whether it was a version.There was an existing vulnerability we encountered.

Figure 3: Format string vulnerability test

 The test in Fig. 3 confirmed the existence of a format sting vulnerability.The vulnerability of this format string was publicly discovered in the JSON-DBUS-BRIDGE code in 2015, but the update was not included in the B. Braun software, so the disclosure of the vendor-specific zero-day vulnerability.It was something to meet.This is submitted as CVE-2021-33886, B.It was the first discovery reported to Brown.In the next few weeks, we were able to use this vulnerabilities to create a practical exploit and get a www user -level shell access to the device.Exploit's accurate technical details are not included, as patches can affect unsuitable devices.

Promotion of privilege

 User access is the first step, but you need route access to interact with the CAN bus and communicate with the actual pump. A well -known process of privileged promotion targets is to find binary owned by Root, where Setuid bit is enabled. I couldn't find anything that could be used right away. However, the web interface has the option to back up and exercise the settings that rely on a folder containing a small number of files and use a user -specified password to encrypt it with AES. After that, you can download the backup archive and restore the settings later. If you restore this backup, ROOT will hold the file permissions from the provided Tar file as a user who is decompressing. Therefore, if the archive can be tampered with, you may be able to create a privileged promotion scenario.

 In order to use this advantageously, it is necessary to embed a binary with a "setUid" bit in the backup archive owned by root and promote privileges. Ironically, most of the code in charge of import/exporting the settings is already working. The "Configexport" binary in the file system calls the setUid/setgid (and can ties input) and calls Execve with the script "/configexport/configexport.sh". Using a hexadis editor, you can change the script that the "Configexport" binary is running, replace "Configexport.sh" with an attacker controlled by the attacker, and then apply a patch to the input sanitization. Instead, you can absolutely compile your own binary, but this approach can save PPC cross compile fun for several hours.

 B is working on the ManimeD project while processing this component of the attack chain.In cooperation with Braun, the report including this discovery was released on the B.Braun website as CVE-2020-16238.As described in the report section 4.6.2.2, the attacker can command as a root user by promoting the vulnerability of any authenticated file upload and the promotion of unpalculated symbolic links and local privileges.I am praised for the fact that ManimeD researchers have discovered this vulnerabilities and practiced responsible disclosure.

Crossing system

 Once the root access is obtained, the actual work starts.The challenge is how to change the pump RTOS with the route access of the Spacecom communication module.One of the general approach is to continue searching for the vulnerability of the RTOS of the pump that leads to the code execution in the system.This method can cause many issues during the Black Bokstest and damage a limited number of test devices.

 Another approach used in past projects is to take over the standard device and promote attacks.This makes it easier to manage, but you need to deeply understand how your device works and obtained desirable results.This can also be found that it is very difficult to test the multi -layer defense of the device, and depending on the security measures that are being implemented.In our case, this is forcing the problem of how much the area surrounding the communication between the pumps and Spacecom is protected.

マカフィー McAfee EnterpriseがB.Braunの輸液ポンプの脆弱性を公開(技術記事)

 As described in the section explained in the above system, PCS binaries play a role in communicating with the pump system for two important operations: updating drug libraries and updating pump configuration.These are important features that are likely to be interested in attackers.There are several different approaches that the attacker can take to interact with these major operations, especially if the route access is given.Considering various alternatives, we chose to insert code into PCS memory using Spacecom's root access, and use existing functions and objects to communicate with the internal system of the pump.

 With the selected path, it was necessary to deepen the data structure and functions used to make this communication easier. The important thing is that you can change or insert the necessary data while using low -level functions to eliminate the need to create objects and data unnecessarily from the beginning. That is. To explain this point, consider whether to send a simple signal to turn off the pump from the PCS memory space. The fact that all data sent from Spacecom to the RTOS of the pump is performed via a CAN message means that you can use the root access to send a Can message directly on the CAN bus. The base protocol is designed by B.BRAUN and needs to be a reverse engineering, which requires a wide range of knowledge and breakdown of the Can Message Structure. It is very difficult, especially if there is no strict specifications in the CAN data frame field. In the PCS, there is a call chain to create this message. When using a very low function of the call chain, the Trysend function (see Figure 4), which sends a CAN message, is necessary to understand all the arguments and the data format used. Basically, the same problem as before occurs.

Figure 4: Trysend function

 A function that runs the operation that seems to be necessary is to be displayed in the top rank with a call stack and turned off the device switch, so you can leave the work that takes a lot of time on the remaining calling chain.Figure 5 below has a function only for this purpose, and it is important to note that you only need to pass one parameter.

Figure 5: SwitchoffDevice

 Utilizing this concept, you can use the functions in the PCS in the same way as the API, perform reading and writing operations into the pump database and forced the change.

Understand important data

 When sending and receiving data such as drug libraries and pump configurations, you must first understand the format of data, how to process data, and security measures that need to be considered.Our team spent a long time to reverse both drug libraries and pump configuration data.Part of the pump configuration is called calibration and disposable data.Both can be changed through the attack chain.However, this paper touches the more important of the calibration data and disposable data.

 Calibration and disposable data are usually displayed in the format of the file in Spacecom. At a more detailed level, these are a key and value collection aimed at reading or writing on the pump database. Each file can also be a large mass of data that exists on the pump flash. The physical location of each key in this Blob is hard code on the pump and may be hard code to PCS. This expression is related to various CRC calculations that operate data blobs, not key pairs. These checksums are frequently used in the entire pump infrastructure along with important data to ensure data consistency. This is to ensure the safety of the patient by making the data from being accidentally changed or damaged. Figure 6 shows examples of disposable data contained in Spacecom files.

Figure 6: Disposable data

 Looking at the variable names in the disposable data file and the related code of the pump firmware, a pair of one key and value that specifies the "head volume" of the tube, as shown in the figure above, was found.Thorough analysis determined that "head volume" is a parameter that determines the amount of drugs that are administered to patients for each cycle.Changing this value was determined that it could be potentially harmful.This analysis will be described in detail in the following sections of the "Uniqueness of Infusion Pump Hacking".

 The next step is to understand how to calculate the CRC, with the key and value pairs in mind.Since the system always checks the integrity of data, if the attacker wants to change the value, it is necessary to change the CRC to verify the changed data.Reverse engineering determined that CRC is a custom implementation of CRC16, the initial value is 0xffffF, and it depends on the hardcoded polymorphic table.This algorithm was extracted, the custom Python script was described, and the CRC required for disposable data was calculated.

 With the basic understanding of important operating data and the function of calculating the CRC, you can send the command to change this data to the pump using the PCS binary in the API method.This applies to both drug libraries and pump configuration data.CRC is ideal for consistency check, but does not provide the security or reliability level of data sending.This is why the lack of confirmation of this origin led to the submission of CVE-2021-33885.

Final At Tack Chain

 If you check the attack chain, you can get user -level access to the device without authentication or approval.Next, escalate privileges and routes to make the existing functions of PCS binaries.

 Since the PCS binaries proprietary protocol are not authenticated, there are specific configuration options that attackers can change to make their work easier.One of these configurations options indicates which server is "trusted" (such as a drug library) of which server is "trusted".Attackers can send commands to Spacecom, clear the current reliable server configuration, and rewrite them into servers controlled by the attacker.This is not required for this attack when using the above format string and privileged promotion path.However, it provides an alternative method and simplifies the attack process.

 Finally, if the pump configuration or drug information is changed, the pump has audio and visual notifications.Once again, a malicious attacker will want to be as stealth as possible.To achieve this, it was worth determining how to clear these notifications.This process was as easy as restarting the pump after the change was completed.Since the restart operation is executed in a few seconds, using this method has quickly cleared all alerts to end users.The complete attack process is outlined in the following figure.

Figure 7: Complete attack chain

Prerequisites for attacks

 This attack chain provides a complete way to change important pump data, but it is important to recognize the conditions you need to succeed.These pumps are designed to be connected to the local internal network.Therefore, under normal operation conditions, the attacker needs to find a way to access local networks.Can this attack occur via the Internet?Technically speaking, that's right.However, there is almost no possibility that the settings that are directly connected to the Internet will be displayed.

 In addition to what is on the local network, the pump has protection methods to prevent changes from being changed during the pump operation.Discovered during the survey, if the pump is actively administering drugs, all the requests on the CAN bus for changing the library or configuration data are ignored.This means that the attack may succeed only when the pump is idle or standby mode between injections.

Impact

 The prerequisites for this attack are minimal, not enough to reduce overall threats.In today's world, there are various ways that attackers are documented and used to access local networks.Also, if hospitals and medical facilities are generally a public place with little or at all, you can easily check how to access the network without noticing malicious people.Pumps are not always actively mediating.Even the busiest hospitals have times when downtime and pumps are not simply used.

 The function of changing the disposable data of the pump and the configuration data may ensure that the attacker can affect it.Attackers may simply be unable to use the device or write any message on the screen.We chose to focus on disposable data, especially the pair of keys and values with label "tube_headVolume_a".This is because it shows the biggest impact and harms the patient.In the following video, the pump is first displayed by normal operation.After the system indicates that it works as intended, it will change the configuration with the attack chain described above to remote and affect the pump when administering drugs.

but

Unique consideration for hacking infusion pumps

 An interesting feature of this project is that its impact and results are essentially based on the physical world.If general software hacking ends with a function to get root access or kernel privileges, this project is important for how to use the device by the medical staff and how it affects the patient's safety.The following sections focus on the various aspects of the project under this umbrella.

Reasons for changing tube_headVolume

 As described earlier, our attack depends on the change in disposable data that manages how to deliver drugs using a pump.But why did you decide to investigate this?An interesting side effect of a pump built for safety is that most of the input and output received from the CAN bus are widely checked out of access.From the perspective of an attacker who has already infringed Spacecom, this is usually the main target of bugs for memory damage.The fazing and emulation of the M32C architecture were costly in terms of pre -work, so instead, they started searching for the most resistant path and searched for blind spots with a safe design.

 In our case, we wanted to be able to affect the amount of drugs administered without any malfunctions or abnormalities on the screen. In the original plan, the drug library of the device was planned to be tampered with, but since the data that can be changed is displayed on the screen, there is a concern that the medical staff prescribed the drug and rate are confirmed before and after ordering. I have sex. Start injection. This was not ideal for the attacker, so we continued the investigation. The other files that could be changed were calibration data and disposable data. These files are interesting because they describe internal parameters. For calibration, the physical parameters of the device itself are specified, and the disposable ones are for details on the tube passing through the pump. Anyone who is familiar with precision tools knows how important the proper proofreading is. If the calibration is off, it leads to inappropriate operations or results. This makes sense from the viewpoint of operation, but from an attacker's point of view, this is likely to fit in the request of the attack we were thinking. Change the internal value so that the pump is dispensing an appropriate amount of drugs.

 Looking at the variable names in the disposable file and the related code of the pump firmware, I found a tube "head volume". In our understanding, each time the pump is pumped, the IV tube is compressed, thereby pushing a small amount of drugs toward the patient. As a whole, there are many physical parameters that dominate this volume (the inner diameter of the tube, the length of the compressed area, the amount of tubes compressed), but ultimately all of these values ​​are included. It looked like. With one variable. If this value is reduced by half, it will believe that the pump is pushing half of the actual amount, so it is necessary to send a pump twice as fast to supply it. We tried the hypothesis, but doing so has doubled the amount of drugs administered while assuming that all pumps are normal.

Results of surgery at hospitals and over -injected drugs

 If you change the internal configuration, you will know what will happen to the device, so you can consider how it works in the real world. As mentioned earlier, medical staff need to pay close attention to using these devices and make the number match the doctor's instructions. In the United States, both the Medicea Medicade Service Center (CMS) and the US Society of Clinical Tumor are required to have standard medical treatments with high -risk or dangerous injections such as blood and chemotherapy. Under this criterion, two people who are properly trained (usually a nurse) are required. One injects the drug, and the other checks the order and composition before administration. From an international perspective, it has been found that the same protocol is used in Irish hospitals. Make sure that the details and the requirements for reconfirm each value are correct. However, another document describing the adoption of a smart pump system at a Swedish hospital is a concern that if a nurse makes a mistake in setting the pump, it may follow an invalid drug protocol (p.47). Suggests. These documents are an anecdo, but the overall sensation is that there is a powerful check. If you have pressure or have multiple injections, you may make a mistake. This must be prevented with a smart pump.

 Shaun Nordeck, M.D., one of our industry partners, was an interbenical radio -logist resident of the level 1 trauma center, and used to be the Army Health and Allied Medical Expert.He has more than 20 years of experience in the medical field.Doctor Nordeck states:"In high -pressure environments such as ICUs, the risk of injection errors may be higher because these important and frequently adjusted medical patients are frequently adjusted. However, the error is the ICU.It is not limited, but can be easily generated in the settings of hospitalization wards and outpatients. Basically, variables (patient complexity, sharpness, number of medications, changes in medications, nurse)Each time the ratio of patients increases, the risk of error increases. "

 It is important to keep in mind that the number of drops can be visually counted to check the injection speed as a safety scale (there is even an optional module that automatically performs it). However, depending on the parameters, a slight change in speed (for example, half or twice) may not be clear immediately, but may still be harmful. Dr. Nordec further said, "As usual, as a daily thing to modify a person's hyperglycemia or sodium level too quickly, it can swell the brain or damage the nerves, leading to permanent disabilities and death. I have sex. " FDA's Maude database can be used to track adverse events related to medical devices and check the types of problems that have actually occurred on site. Certain drugs are particularly powerful, in which case the speed of them is important. In this case, the intended speed, four times the intended speed, died a few hours after the incident occurred. Insufficient medication can also be a problem because the necessary medicine does not reach the patient in an appropriate amount. These examples emphasize that pumps that do not supply the right amount of drugs may occur on site, may not be aware of it for several hours, leading to injuries and death.

Frequently dropped holes

 Let's go back a little and think about some common drawbacks revealed while looking at the ecosystem of the infusion pump. We believe that these problems are not unique to brands and products, but may be seen throughout the medical field. This is because the industry has only received a limited amount of attention from both malicious attackers and cyber security industries. Since the proportion of cyber threats increases and new smart devices have been constantly added to the private network, new attack target areas have been revealed, and many systems are untouched for those that are delayed. It may change. Slow life cycles of smart medical devices mean that security best practices and easing measures are adopted and developed on site. Knowing this may be useful for medical institutions.

Cost of patch application

 Both hardware and software consumers are often more agile than those in the medical industry. The web browser or operating system on the personal computer is automatically updated immediately after the regular patch is released. This is fundamentally different in medical devices that are often directly related to patients' safety, and thus need to go through a strict inspection process before applying updates. This often needs to fix the device during the update and perform follow -up tests and re -calibration. In many cases, it is very expensive and difficult for medical facilities to update products, and as a result, devices with firmware several years ago are developed. For this reason, the security measures for "table stakes" are not completely adopted.

Design for safety, not security

 Looking at the general architecture of the pump, it is clear that it is designed with safety in mind.For example, the main processing depends on the application processor, but it also has a control processor that does not cause unexpected things by monitoring sensor output with other components.All are checked CRC, flags for memory damage, and all scope is checked.All of these suggest that the design aimed at reducing the deterioration of the hardware and software failures, the data was accidentally damaged on the network, and the deterioration of flash modules with high priority.。

 However, it seems that the design process did not pay much attention to preventing malice.The difference between safety and security may be slightly blurred.It also makes it difficult to abuse or out of access to accidental memory due to disability hardware, but attackers always try to avoid these easing measures.Similarly, logical bugs, which are very likely to happen by chance, may be the "key to the kingdom" for the attacker.Internal audit and aggressive security exercises can bring valuable insights as a way to enhance existing safe guards to highlight the attacker's ideas and protect them from intentional threats.

Everything is based on trust

 Looking at how the pump and its communication modules process communication and file processing, the important files are not signed (CVE-2021-33885), and most of the data exchange is performed in plain text (CVE). -2021-33883), it turns out that the use of the original protocol (CVE-2021-33882) is generally deficient. There are several areas protected by passwords in user systems, but not so many internal internal systems. This is because the login page of the website is "obvious", and the ad hoc protocol designed for more customized applications is not so obvious, with the appropriate authentication mechanism of FTP and SSH. It may be. There are also evaluations of evolving situations and related threats. The risk of falsifying a component (such as calibration data, drug library, etc.) is considerably lower if you need a physical access to dedicated software and devices. However, if the device is suddenly connected to the network, the attack target area may be expanded and the original assumption may not be updated. In any case, multi -layer defense should not be easily tampered with important files. However, security and functions have a legitimate compromise, and for embedded devices, it is necessary to take limited resources and ease of use.

CAN is connected to Wi-Fi

 Initially, the CAN bus was reserved for communication between reliable components such as service PCs used for maintenance, or for connecting multiple devices in the universe station of an old model without Spacecom. The latter is provided as an optional module. You can connect to the space station to provide external connections. Thus, the CAN bus is used for "internal" communication between reliable components, and SPACECOM, an external module, can be added for data reports through network. In the next ten years, technology has been improved and all of them have been miniaturized until they are integrated, allowing the battery module to provide Wi-Fi connection and Spacecom function. This has opened a new possibility. Provides the same functions as PCs that provide services, such as using a built -in Spacecom module. From the user's point of view, the operation is simplified, but from a security point of view, the "reliable" internal network is suddenly bridgeed by an external network that can be accessed wirelessly. It is much more doubtful that Wi-Fi-connected Linux devices began to provide the same function, and only a few dedicated devices that can be physically accessed can perform privileged operations. It became a thing.

 This kind of problem is facing almost all industries that have evolved from dependence on reliable physical networks, suddenly connected to the Internet and other unreliable networks.The smart connection device is a double -edged sword.Just as the flexibility between systems and the synergistic effects improve, it may lead to an urgent security problem that needs to be considered overall.

Technical debt

 When developing a custom protocol or ad hoc system, it is natural that technical debt occurs. This is a device life cycle for many years, and when patches and upgrades are complicated and costly, the supporting customer base is different, and the hardware revision is multiple. This may result in more ambiguous functions, and may lose or lose its ownership. This example is a format string vulnerability that affects the JSON-DBUS module. The usage was ambiguous and branched from the open source project many years ago. The original repository is a security bug, but has not been flagged like a bug. Probably, when the fork was forced, the code fulfilled its purpose, did not come back afterwards, and did not notice the security bug. The same is true for custom -designed protocols and file formats. It may be difficult to evolve them in accordance with the improvement of the best security practice, avoiding the "legacy" development. In this scenario, it may be a way to relax. You can make sure that the system is separated, disable unnecessary functions, and restrict those privileges and access to those that need. It is a difficult task to guarantee the future of the system. If anything, the component is not checked in light of many years of best practices by combining the functions of the system and the transparency of components that depend on the functions of the system and the regular audit (code source review or black box audit). You can prevent falling.

Conclusion

 This has ended a research project that takes a considerable amount of time for two senior researchers to show the risk of threatening life that a remote attacker is hijacked.For the time being, ransomware attacks are more likely to be a threat in the medical department, but these networks are ultimately enhanced against this type of attack, and malicious attackers have achieved other lower results.To find.Considering the life of medical devices and the difficulty of surrounding the renewal, it is important to start planning now in preparation for tomorrow's threat.I hope this study will help you to notice the long -term blind spots.

 Dr. Nordec states the importance of this study as follows. "The function of operating medical devices in a way that is harmful to patients without detecting end users can effectively use devices, and Hollywood may actually happen. McAfee's ATR team has confirmed that. Device makers clearly aim to manufacture safe and secure products, as they are proven by built -in safe guards, but their devices succumb to ransom attacks. There is a possibility that there may be flaws that may harm, so the manufacturers will cooperate with security experts to test their products independently, detect and fix their potential threats. It is necessary to maintain the security of the patient and the security of the device. "

 Performing regular security audits, facilitating medical experts to keep the device up to date, and providing reliable easing when this is impossible, list of priority to all medical vendors.It should be included in.Medical experts, policies, and even the general public need to be responsible for medical vendors, clearly show the risk profile of the device to be sold, and demand a better way to keep the device safer.I have.We recognize that there is always a defect that cannot be determined in advance, even if there is an overall approach to this concept and security.In such a case, vendors need to encourage the industry's partner, further search, accept responsible disclosure, and communicate widely with researchers, interests, and customers.

 From a security research perspective, it is important to understand how the device works at the overall system level, how each component interacts, and which components can be communicated.It is important for the manufacturer to read the line spacing.Something may not be included in the design document or specifications, but an emergency property may occur as a side effect of other design decisions.

 私たちのような攻撃的なプロジェクトは、実際には構造的な弱点を強調し、リスクを指摘することを目的としています。現在、これらの懸念に対処するために防御的な作業が必要です。たとえば、メーカーは、より安価で強力なマイクロコントローラーを活用して、適切な認証メカニズムを実装する必要があります。ただし、デバイスを最新の状態に保つことに関して、病院が直面する課題を調査して対処することはさらに重要です。これは、ベンダーからの技術的ソリューションと、安全な慣行を促進し、古いソフトウェアを備えた重要なデバイスに関連する潜在的なリスクについての認識を高めるためのアドボカシーの両方として提供される必要があります。FDAは、2018年にCyber​​Med Safety(Expert)Analysis Board(CYMSAB)で先導しようとしましたが、これまでのところほとんど進展がありません。ドイツのBSIがManiMedプロジェクトで行った作業も、非常に心強いものです。これは、多くの可能性と注意が必要なサイバーセキュリティの分野であると考えており、情報セキュリティ業界がこの重要なセクターを常により安全にするためにこの課題に取り組むことを楽しみにしています。

 One of the goals of the MCAFEE Advanced Threat Research team is to identify and clarify a wide range of threats in today's complex and constant evolution.In accordance with McAfee's vulnerability public policy, McAfee's ATR team directly notified the B.Braun team and cooperated.With this partnership, vendors are working to reduce the vulnerabilities that are explained in detail on this blog.B.Braun Infusomat companies are strongly recommended that you update as soon as possible according to patch policy and test strategies.

CVE details

CVE: CVE-2021-33882

 CVSSV3 Evaluation: 6.8 / 8.2

 CVSS STRING: AV: N/AC: H/PR: N/UI: N/S: N/S: C/C: N/I: H/A: N/IR: H/IR: H/AR: M/Mav: a

 Explanation of CVE: BBRAUN SPACECOM2's important functions before 012U000062 have no authentication for vulnerabilities in the vulnerabilities, so remote attackers can reconsider their devices from unknown sources because they have no authentication of their own network commands.

CVE: CVE-2021-33883

 CVSSV3 Evaluation: 5.9 / 7.1

 CVSS STRING: AV: N/AC: H/PR: N/UI: N/S: U/C: N/I: H/I: N/IR: H/IR: H/AR: M/Mav: a

 Description of CVE: Due to the vulnerability of clear text transmission of confidential information of BBRAUN SPACECOM2 before 012U000062, remote attackers can get network traffic and get confidential information.The published data contains important values in the internal configuration of the pump.

CVE: CVE-2021-33884

 CVSSV3 Evaluation: 7.3 / 5.8

 CVSS string: AV: N/AC: L/PR: N/UI: N/S: N/S: U/C: L/I: L/I: L/CR: M/IR: M/AR: L/MAV:A

 Explanation of CVE: If you upload a dangerous type file before 012U000062, you can upload files to the/ TMP directory of the device via a web page API.This may allow important files to be overwritten.

CVE: CVE-2021-33885

 CVSSV3 Evaluation: 10.0 / 9.7

 CVSS STRING: AV: N/AC: L/PR: N/UI: N/S: C/C: C: H/I: H/I: N/IR: H/IR: H/AR: M/Mav: a

 CVEの説明:012U000062より前のBBraun SpaceCom2のデータ信頼性の脆弱性の検証が不十分であるため、認証されていないリモートの攻撃者が、正し​​いデータの代わりに使用される悪意のあるデータをデバイスに送信できます。これにより、重要なデータセットに暗号化署名がないために実行されます

CVE: CVE-2021-33886

 CVSSV3 Evaluation: 8.1 / 7.7

 CVSS STRING: AV: A/AC: L/PR: N/UI: N/S: U/C: H/I: H/I: H/A: N/RL: O/RC: C

 Explanation of CVE: Inappropriate sanitizer of BBRAUN SPACECOM2 in the BBRAUN SPACECOM2 inappropriate sanitizer before 012U000062, unrecognized remote attackers hand over the raw external character string directly to the PrintF statement, to direct user -level command line access.Can be acquired.The attacker must be on the same network as the device.

* The contents of this page are the contents of the following MCAFEE ENTERPRISE blog updated on August 24, 2021 (Japan time).

Original: McAfee Enterprise ATR UNCOVERS VULNERABILITIES IN GLOBALLY USED B. BRAUN INFUSION PUMP: Douglas Mckee and Philippe Laurheret

Category