Security flaws reside in the software of all kinds of devices. Recently a group of IBM network vulnerability tests experts detected a critical vulnerability in an electronic component that would allow threat actors to remotely take control of multiple models of insulin pumps, devices used as an alternative to traditional injections. Exploitation of this flaw could alter the doses given to thousands of patients, which would put their lives at risk.
Researchers reported a problem with modules developed by French firm Thales, included in millions of devices used in multiple industries such as automotive, energy and of course health services.
Exploiting a flaw that resides in one of these modules, threat actors can trigger abnormal behavior in insulin pumps, employed by millions of patients around the world. At the moment it is unknown which manufacturers are exposed to this flaw, the experts in network vulnerability tests mention.
While IBM mentioned that the flaw was initially reported in September 2019, in addition to a security patch being released in February in conjunction with Thales, the process for upgrading affected devices in highly regulated industries is too slow, so millions of devices could still be exposed.
On its decision to publicly disclose the existence of these flaws, IBM mentions that this is due to an announcement related to some security flaws that could affect millions of Internet of Things (IoT) devices. Researchers could refer to the finding of the Israeli firm JSOF, which detected multiple IoT vulnerabilities that would allow malicious hackers to modify the behavior of connected devices, including insulin pumps. The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert regarding this set of flaws, known as Ripple20.
The researchers also mentioned that no attempts to exploit in real-world scenarios have been detected so far, although they emphasize the need not to disclose which devices are affected by this flaw. A similar stance was adopted by the CISA Health Sector Cybersecurity Coordination Center, which published a note on the dangers of this flaw without revealing names of vulnerable manufacturers or models.
Insulin pumps are not the only devices in the health industry exposed to these flaws. Medical equipment such as glucose monitors, vital sign monitors and other devices could also be tampered with for malicious purposes, network vulnerability tests experts mention. In other words, this flaw could be a problem affecting the medical industry in general.
It should be noted that some members of the cybersecurity community believe that this vulnerability is a minor risk. Chris Gates, medical device engineering specialist, says Thales vulnerable modules are not a threat at the level of Ripple20 flaws, which allow remote code execution: “A potential attack against Thales modules requires physical access via USB or by intercepting a wireless update; the attack would also depend on the amount of information stored in the memory of an insulin pump,” the expert says.
Although a catastrophic scenario is unlikely, researchers recommend implementing some preventive measures. Under no circumstances should users leave this device within reach of a potential attacker. Updates will be available soon, which will mitigate the risk of attack altogether.