Rapid7 Details Flaws in Sigma Infusion Pump From Baxter

Cybersecurity experts have uncovered vulnerabilities in Baxter’s line of Sigma infusion pumps in the past, flagging the product in both 2015 and 2020. In April of this year, the team at cybersecurity research firm Rapid7 has found Sigma’s true Achilles’ heel: a firmware version and Wi-Fi battery oversight. “An attacker with physical access to an infusion pump could install a Wi-Fi battery unit, purchased on eBay, and then quickly power-cycle the infusion pump and remove the Wi-Fi battery – allowing them to walk away with critical Wi-Fi data once a unit has been disassembled and reverse engineered,” said representatives from Rapid7.

Baxter was quick to correct one of the problems through authentication, and has also provided detailed instructions for mitigating risk of accessing hospital Wi-Fi credentials for those using secondary-market batteries in the product. The company claims neither patients nor infusions have been affected as of now, and further claims that the controlled nature of the vulnerabilities means that patients will likely never be directly harmed.

A recent safety communication from Baxter said that although pump performance remains in the line of fire for these problems, hardware and software components of Sigma remain protected. The fact remains, however, that therapy interruptions or delays are still on the table for pump users via wireless battery hacks. Rapid7, for its part, has praised Baxter’s product security teams for their “responsiveness, transparency, and genuine interest” in addressing these flaws.