New York, NY, June 13, 2019 — Two cybersecurity vulnerabilities have been discovered in the firmware and web management of BD’s (Becton, Dickinson and Company) Alaris™ Gateway Workstations, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed today. The vulnerabilities, reported by medical device cybersecurity researchers at CyberMDX, could allow a malicious attacker to completely disable the device, install malware, or report false information. In extreme cases, the attacker could even communicate directly with pumps connected to the gateway to alter drug dosages and infusion rates.
These vulnerabilities were independently tested and validated before being confirmed by BD. Together with the U.S. Department of Homeland Security (DHS) the vendor and security firm worked to assess the extent of the risk posed and to express that risk in terms of baseline and temporal Common Vulnerability Scoring System (CVSS) scores.
The vulnerability within the Alaris™ Gateway firmware was disclosed with a CVSS risk score of 10.0 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H, as referenced in the ICS-CERT Advisory (ICSMA-19-164-01).
The vulnerability within the Web Browser User Interface of the Alaris™ Gateway Workstation (AGW) was disclosed with a CVSS risk score of 7.3 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L as referenced in the ICS-CERT Advisory 2019-10962.
Alaris Gateway Workstations are used to provide mounting, power, and communication support to infusion pumps. The devices are used in a wide range of therapies — including fluid therapy, blood transfusions, chemotherapy, dialysis, and anesthesia.
Researchers from CyberMDX discovered that AGWs are vulnerable to an exploit that could remotely manipulate firmware files. The attack, which requires no special privileges to execute, could for example be used to “brick” the AGW — freezing it until it is repaired by the manufacturer. More troubling, it also allows an attacker to manipulate gateway communication with connected infusion pumps. For some infusion pump models used in tandem with AGWs, a hacker could use the compromised gateway to prevent the administration of life-saving treatment or to alter, potentially fatally, intended drug dosages.
Following responsible disclosure guidelines, CyberMDX contacted device manufacturer Becton Dickinson, who conducted their own testing and confirmed the vulnerability. Both parties then worked with the regulatory bodies to see the process through. Because of the ease of attack, the remote nature and the high impact, the firmware vulnerability was given a severity score of 10 out of 10.
“Identifying, quantifying, and prioritizing medical device security vulnerabilities requires constant vigilance. Our goal is to discover and help remedy critical vulnerabilities before they are exploited to adversely affect patient care,” said Elad Luz, Head of Research at CyberMDX. “The onus for medical device security lies across all stakeholders — the device manufacturers, healthcare providers, and technology companies — and CyberMDX’s cybersecurity research team is committed to working with all these parties to make hospitals safer and medical equipment more reliable.”
CyberMDX is an IOT security leader dedicated to protecting the quality care of health delivery worldwide. CyberMDX provides cloud-based cybersecurity solutions that support the advancement of The Internet of Medical Things. The CyberMDX solution identifies endpoints and assesses vulnerabilities to detect, respond to, and prevent cyber incidents. Deployed worldwide, CyberMDX is designed to integrate with our customers’ existing environments through its scalable, easy-to-deploy and agentless solution.