CyberMDX Discovers Vulnerability in The Becton Dickinson AlarisTM TIVA Syringe Pump

ICS-CERT Advisory (ICSMA-18-235-01)


Risk: High. A CVSS v3 grade of 9.4 (critical) has been calculated. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).
Date Discovered by CyberMDX: May 8, 2018
ICS-CERT Advisory date: August 23, 2018



CyberMDX discovered a previously undocumented vulnerability in the device, noting that when the syringe is connected to a network, it is left exposed to remote control from anyone on that network, requiring no authentication. The remote control allows starting/stopping of the pump, changing its rate, silencing alarms, and more.


Vulnerability Details


Product Background

Becton Dickinson’s AlarisTM TIVA is a popular syringe pump sold primarily outside of the US, found at hospital bedsides, often with more than one per patient. These devices apply precise drug doses to patients over periods that can last from hours to days.

Network Connection

Today it’s common for hospitals to have a medical device connected to their network, as part of their workflows, sending telemetry, and/or working with their databases. This syringe pump has a communication port of the old serial RS232 type. This serial port cannot directly connect to a conventional network.

Surprisingly, many medical devices still use this serial protocol and hospitals typically bridge them to their network using a terminal server.

A terminal server is a small box that accepts serial connections from multiple devices (in hospitals these are usually all medical devices found on the same room) and bridges them all to a standard network.

This bridging is usually accomplished by streaming the serial data into different TCP ports, each corresponding to a different serial device. As a result, the terminal server “listens” to port activity, accepting incoming connections and directing them to the serial port of medical devices behind it.

Though this is far from a best practice for connecting to a network (and not recommended by BD), it is a common practice.



Left to right: the syringe pump, a terminal server, a network switch. The laptop is also connected to the network switch.


The Attack Scenario

Using a protocol proprietary to the Alaris pump series, one can send commands that will instruct it to start/stop the pump, increase the pump rate up to x1000 faster, silence alarms, and more.

The commands can be sent over the hospital’s network if configured in the manner described above (using a terminal server bridge). In this way the pump is exposed to any attacker who has penetrated the hospital network.


Bonus: Reconnaissance

CyberMDX recreated the attack scenario using terminal servers from industry standard vendors, supplying hospitals all over the world.

In the course of recreating such an event, we further found that an attacker can manage to compromise the device even without any prior knowledge of the IP address / location of the pump. This is because:

  • All terminal servers answer to a discovery signal that can be sent over the network. This grants you IP addresses for all the devices connected to the network in just a few seconds.
  • Given a terminal server address, you can try to connect to its different ports, and when a connection is made  try to “handshake” with a pump using the proprietary protocol. A successful handshake will result in an active line of command and control communication opened to the syringe pump.

In this way you can find all the connected pumps in a hospital in less than a minute and with no prior knowledge about the network.


Mitigations and Recommendations

The following mitigations and compensating controls are recommended in order to reduce risk associated with this vulnerability:

  • Customers should ensure they are operating these devices in a segmented network environment or as a stand-alone device.
  • Customers should utilize connections via the Alaris™ Gateway Workstation docker, which would inactivate the remote control feature.




Elad Luz, Head of Research at CyberMDX

About CyberMDX’s Cybersecurity Research & Analysis Team 

CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to defend hospitals and healthcare organizations from malicious attacks. The team’s researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible. 


Take the Next Step

Want to set up a call, meeting or product demo? Didn’t find what you were looking for? We’re here to help.

Contact Us