New York, NY June 13, 2019 — Two cybersecurity vulnerabilities have been discovered in the firmware and web management of BD's (Becton, Dickinson and Company) Alaris™ Gateway Workstations, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed today. The vulnerabilities, reported by medical device cybersecurity researchers at CyberMDX, could allow a malicious attacker to completely disable the device, install malware, or report false information. In extreme cases, the attacker could even communicate directly with pumps connected to the gateway to alter drug dosages and infusion rates.
These vulnerabilities were independently tested and validated before being confirmed by BD. Together with the U.S. Department of Homeland Security (DHS) the vendor and security firm worked to assess the extent of the risk posed and to express that risk in terms of baseline and temporal Common Vulnerability Scoring System (CVSS) scores.
The vulnerability within the Alaris™ Gateway firmware was disclosed with a CVSS risk score of 10.0 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H, as referenced in the ICS-CERT Advisory (ICSMA-19-164-01)
The vulnerability within the Web Browser User Interface of the Alaris™ Gateway Workstation (AGW) was disclosed with a CVSS risk score of 7.3 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L as referenced in the ICS-CERT Advisory 2019-10962.
Alaris Gateway Workstations are used to provide mounting, power, and communication support to infusion pumps. The devices are used in a wide range of therapies — including fluid therapy, blood transfusions, chemotherapy, dialysis, and anesthesia.
Researchers from CyberMDX discovered that AGWs are vulnerable to an exploit that could remotely manipulate firmware files. The attack, which requires no special privileges to execute, could for example be used to "brick" the AGW — freezing it until it is repaired by the manufacturer. More troubling, it also allows an attacker to manipulate gateway communication with connected infusion pumps. For some infusion pump models used in tandem with AGWs, a hacker could use the compromised gateway to prevent the administration of life-saving treatment or to alter, potentially fatally, intended drug dosages.
Following responsible disclosure guidelines, CyberMDX contacted device manufacturer Becton Dickinson, who conducted their own testing and confirmed the vulnerability. Both parties then worked with the regulatory bodies to see the process through. Because of the ease of attack, the remote nature and the high impact, the firmware vulnerability was given a severity score of 10 out of 10.
More information on the vulnerabilities can be found linked below:
“Identifying, quantifying, and prioritizing medical device security vulnerabilities requires constant vigilance. Our goal is to discover and help remedy critical vulnerabilities before they are exploited to adversely affect patient care,” said Elad Luz, Head of Research at CyberMDX. “The onus for medical device security lies across all stakeholders — the device manufacturers, healthcare providers, and technology companies — and CyberMDX’s cybersecurity research team is committed to working with all these parties to make hospitals safer and medical equipment more reliable.”
CyberMDX’s dedicated research and analysis team regularly works with medical device organizations to responsibly disclose and effectively mitigate security vulnerabilities. The threat intelligence team works tirelessly to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices. The team’s researchers, engineers, and analysts collect information about potential threats to understand possible attack paths, as well as attacker motives and methods in order to deliver comprehensive protection.
A pioneer in hospital cybersecurity, CyberMDX delivers network visibility and threat prevention for medical facilities and their healthcare devices. The company is driven by the belief that only smarter IoMT monitoring and security management can ensure operational resilience while protecting patient and data safety. With continuous endpoint discovery, comprehensive risk assessment, and AI-assisted threat response, CyberMDX offers an easy-to-use solution to help hospitals run better with 360° of cyber intelligence.