Vulnerabilities Disclosed by CyberMDX Allow Attackers to Take Over Infusion Pumps
Vulnerabilities found in BD Alaris Gateway Workstation affirmed by ICS-CERT with CVSS scores of 10.0 and 7.3 respectively
Jun 13, 2019, 16:06 ET
NEW YORK, June 13, 2019 /PRNewswire/ — Two cybersecurity vulnerabilities have been discovered in the firmware and web management of BD (Becton, Dickinson and Company) Alaris Gateway Workstations, the US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed today. The vulnerabilities, reported by medical device cybersecurity researchers at CyberMDX, could allow a malicious attacker to completely disable the device, install malware, or report false information. In extreme cases, the attacker could even communicate directly with pumps connected to the gateway to alter drug dosages and infusion rates.
These vulnerabilities were independently tested and validated before being confirmed by BD. Together with the U.S. Department of Homeland Security (DHS), the vendor and CyberMDX worked to assess the extent of the risk posed and to express that risk in terms of baseline Common Vulnerability Scoring System (CVSS) scores.
The vulnerability within the Alaris™ Gateway firmware was disclosed with a CVSS risk score of 10.0 (Critical) CVSS:(AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H), as referenced in the ICS-CERT Advisory CVE-2019-10959
The vulnerability within the Web Browser User Interface of the Alaris™ Gateway Workstation (AGW) was disclosed with a CVSS risk score of 7.3 (High) CVSS:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). ICS-CERT Advisory
Alaris Gateway Workstations are used to provide mounting, power, and communication support to infusion pumps. These devices are used in a wide range of therapies — including fluid therapy, blood transfusions, chemotherapy, dialysis, and anesthesia.
Researchers from CyberMDX discovered that AGWs are vulnerable to an exploit that could remotely manipulate firmware files. The attack, which requires no special privileges to execute, could, for example, be used to "brick" the AGW — freezing it until it is repaired by the manufacturer. More troubling, it also allows an attacker to manipulate gateway communication with connected infusion pumps. For some infusion pump models used in tandem with AGWs, a hacker could use the compromised gateway to prevent the administration of life-saving treatment or to alter intended drug dosages.
Following responsible disclosure guidelines, CyberMDX contacted device manufacturer BD who conducted their own testing and confirmed the vulnerability. Both parties then worked with the regulatory bodies to see the process through. Because of the ease of attack, the remote nature and the high impact, the firmware vulnerability was given a severity score of 10 out of 10.
More information on both vulnerabilities can be found on theCyberMDX website, by following the links below:
"Identifying, quantifying, and prioritizing medical device security vulnerabilities requires constant vigilance. Our goal is to discover and help remedy critical vulnerabilities before they are exploited to adversely affect patient care," said Elad Luz, Head of Research at CyberMDX. "The onus for medical device security lies across all stakeholders – the device manufacturers, healthcare providers and technology companies — and CyberMDX's cybersecurity research team is committed to working with all these parties to make hospitals safer and medical equipment more reliable."
About CyberMDX's Cybersecurity Research & Analysis Team
CyberMDX's dedicated research and analysis team regularly works with medical device organizations to responsibly disclose and effectively mitigate security vulnerabilities. The threat intelligence team works tirelessly to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices. The team's researchers, white hat hackers, engineers and analysts collect information about potential and existing threats to understand possible attack paths, as well as attacker motives and methods in order to deliver comprehensive protection.
A pioneer in hospital cybersecurity, CyberMDX delivers network visibility and threat prevention for clinical networks and their healthcare devices. The company is driven by the belief that only smarter IoMT monitoring and security management can ensure operational resilience while protecting patient and data safety. With continuous endpoint discovery, comprehensive risk assessment, and AI-assisted threat response, CyberMDX offers an easy-to-use solution to help hospitals run better with 360° of cyber intelligence.
For more information, please visit our website.
Westray communications for CyberMDX
+972 58 419 2917
Share this article