New York, NY, August 23, 2018 – CyberMDX, a leading healthcare cybersecurity provider delivering visibility and threat prevention for medical devices and clinical networks, today announced that the research group of its company has discovered two security vulnerabilities found in commonly used medical devices: Becton Dickinson (BD)’s Alaris® TIVA Syringe Pump and Qualcomm Life Capsule’s Datacaptor Terminal Server (DTS). Working closely with both vendors, the vulnerabilities have been publicly disclosed via ICS-CERT
CyberMDX found a potential vulnerability in the BD Alaris TIVA syringe pump with software version 2.3.6 and below that is sold and used outside of the U.S.
Through CyberMDX’s research, the team discovered that if a malicious attacker can gain access to a hospital’s network and if the Alaris TIVA syringe pump is connected to a terminal server, the attacker can perform hacks without any prior knowledge of IP addresses or location of the pump.
The attack could lead to unauthorized start/stop of the pump and/or unauthorized changes in the rate of infusion.
To learn more about this vulnerability, with a 9.4 (critical) CVSS, refer to the ICS-CERT advisory (ICSMA-18-235-01).
CyberMDX worked closely with the Product Security team at BD that emphasizes collaboration across the health care industry to enhance cybersecurity of medical technology and devices.
Qualcomm Life Capsule’s Datacaptor Terminal Server (DTS) is a medical gateway device used by hospitals to connect their medical devices to the network. The gateway is typically used to connect bedside devices such as monitors, respirators, anesthesia, and infusion pumps, and like many other IoT devices, the DTS has a web management interface used for remote configuration, based on Allegrosoft RomPager
The CyberMDX research team found that interacting with the web management using the “Misfortune Cookie” vulnerability, which hands out a crafted HTTP cookie to the device, resulted in an arbitrary write to its memory. This action can be performed with no authentication and the arbitrary write may be used to login without credentials, gain administrator-level privileges on the terminal server, or simply crash them. This may result in harm to the device availability as well as the network connectivity of the serial medical devices connected to it.
Although the Misfortune Cookie vulnerability has been publicly known for four years, prior to this disclosure, there was no awareness of it in this instance.
After collaboration with Qualcomm Life Capsule, CyberMDX recommended users to immediately update the DTS devices to their latest firmware version to overcome the vulnerability. Qualcomm Life worked quickly to validate the vulnerability, provide a workaround and an update to the firmware, and notify customers.
To learn more about this potential vulnerability, classified as a CVSS 9.8 (critical), refer to the ICS-CERT Advisory (ICSMA-18-240-01) or see here for the full disclosure report.
“Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety,” said Elad Luz, Head of Research at CyberMDX. “We are a catalyst for change in the healthcare industry by focusing our research capabilities solely on medical devices. Our research team is committed to ensuring patient safety by tirelessly working closely with hospitals and manufacturers to improve the security and resiliency of connected medical devices at hospitals worldwide.”
CyberMDX is an IOT security leader dedicated to protecting the quality care of health delivery worldwide. CyberMDX provides cloud-based cybersecurity solutions that support the advancement of The Internet of Medical Things. The CyberMDX solution identifies endpoints and assesses vulnerabilities to detect, respond to, and prevent cyber incidents. Deployed worldwide, CyberMDX is designed to integrate with our customers’ existing environments through its scalable, easy-to-deploy and agentless solution.