Risk: High. A CVSS v3 grade of 9.4 (critical) has been calculated. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).
Date Discovered by CyberMDX: May 8, 2018
ICS-CERT Advisory date: August 23, 2018
CyberMDX discovered a previously undocumented vulnerability in the device, noting that when the syringe is connected to a network, it is left exposed to remote control from anyone on that network, requiring no authentication. The remote control allows starting/stopping of the pump, changing its rate, silencing alarms, and more.
Becton Dickinson’s AlarisTM TIVA is a popular syringe pump sold primarily outside of the US, found at hospital bedsides, often with more than one per patient. These devices apply precise drug doses to patients over periods that can last from hours to days.
Today it’s common for hospitals to have a medical device connected to their network, as part of their workflows, sending telemetry, and/or working with their databases. This syringe pump has a communication port of the old serial RS232 type. This serial port cannot directly connect to a conventional network.
Surprisingly, many medical devices still use this serial protocol and hospitals typically bridge them to their network using a terminal server.
A terminal server is a small box that accepts serial connections from multiple devices (in hospitals these are usually all medical devices found on the same room) and bridges them all to a standard network.
This bridging is usually accomplished by streaming the serial data into different TCP ports, each corresponding to a different serial device. As a result, the terminal server “listens” to port activity, accepting incoming connections and directing them to the serial port of medical devices behind it.
Though this is far from a best practice for connecting to a network (and not recommended by BD), it is a common practice.
Left to right: the syringe pump, a terminal server, a network switch. The laptop is also connected to the network switch.
Using a protocol proprietary to the Alaris™ pump series, one can send commands that will instruct it to start/stop the pump, increase the pump rate up to x1000 faster, silence alarms, and more.
The commands can be sent over the hospital’s network if configured in the manner described above (using a terminal server bridge). In this way the pump is exposed to any attacker who has penetrated the hospital network.
CyberMDX recreated the attack scenario using terminal servers from industry standard vendors, supplying hospitals all over the world.
In the course of recreating such an event, we further found that an attacker can manage to compromise the device even without any prior knowledge of the IP address / location of the pump. This is because:
In this way you can find all the connected pumps in a hospital in less than a minute and with no prior knowledge about the network.
The following mitigations and compensating controls are recommended in order to reduce risk associated with this vulnerability:
Elad Luz, Head of Research at CyberMDX
CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.