CISA Issues Advisory for Vulnerable Baxter IoT Medical Devices

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding four medical IoT devices from Baxter and provided advice for mitigating the security impact.

Medical devices hold a special place in the IoT ecosystem because they could be directly responsible for keeping a person alive. Any vulnerability within this niche of the industry has to be fixed as quickly as possible.

That’s one reason why CISA gets involved in this type of vulnerabilities, and why you don’t see notifications from a government agency when new vulnerabilities are found in a smartwatch. It’s also worth pointing out that the manufacturer reported the vulnerabilities, and not some third-party.

The vulnerabilities revealed by Baxter cover a few infusion pumps and hemodialysis delivery systems, and are directly related to the use of hard-coded passwords, the transmission of sensitive data over plain text, incorrect permission assignment, and operation of a resource after expiration.

“Successful exploitation of these vulnerabilities could result in access to sensitive data, alteration of system configuration, and impact to system availability,” states the CISA advisory. Moreover, some of the vulnerabilities could have been used remotely and only required a low skill level to exploit.

Baxter issued a number of mitigation measures for each device, depending on the hardware. The most important measure would be to isolate the affected products from the Internet and all untrusted systems, followed by good network hygiene to include appropriate network segmentation, utilizing DMZs, and properly configured firewalls.

The IT admins with these devices in their care should also monitor and log all network traffic attempting to reach the affected products, including Port 20/FTP, Port 21/FTP, and Port 23/TELNET.

Patches for all the vulnerabilities have been issued, and healthcare organizations should update their devices as soon as possible.

Add Comment

Your email address will not be published. Required fields are marked *