alaris-tiva-syringe-pump-vulnerability-3.png

Vulnerability Research & Disclosures



 

CyberMDX Discovers Vulnerability in The Becton Dickinson Alaris TIVA
Syringe Pump

ICS-CERT Advisory (ICSMA-18-235-01)

 

Risk: High. A CVSS v3 grade of 9.4 (critical) has been calculated. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).
Date Discovered by CyberMDX: May 8, 2018
ICS-CERT Advisory date: August 23, 2018

 

Summary

CyberMDX discovered a previously undocumented vulnerability in the device, noting that when the syringe is connected to a network, it is left exposed to remote control from anyone on that network, requiring no authentication. The remote control allows starting/stopping of the pump, changing its rate, silencing alarms, and more.

Vulnerability details

Product background

Becton Dickinson's Alaris® TIVA is a popular syringe pump sold primarily outside of the US, found at hospital bedsides, often with more than one per patient. These devices apply precise drug doses to patients over periods that can last from hours to days.

Network connection

Today it’s common for hospitals to have a medical device connected to their network, as part of their workflows, sending telemetry, and/or working with their databases. This syringe pump has a communication port of the old serial RS232 type. This serial port cannot directly connect to a conventional network.

Surprisingly, many medical devices still use this serial protocol and hospitals typically bridge them to their network using a terminal server.

A terminal server is a small box that accepts serial connections from multiple devices (in hospitals these are usually all medical devices found on the same room) and bridges them all to a standard network.

This bridging is usually accomplished by streaming the serial data into different TCP ports, each corresponding to a different serial device. As a result, the terminal server "listens" to port activity, accepting incoming connections and directing them to the serial port of medical devices behind it.

Though this is far from a best practice for connecting to a network (and not recommended by BD), it is a common practice.

image

Left to right: the syringe pump, a terminal server, a network switch. The laptop is also connected to the network switch.

The attack scenario

Using a protocol proprietary to the Alaris pump series, one can send commands that will instruct it to start/stop the pump, increase the pump rate up to x1000 faster, silence alarms, and more.

The commands can be sent over the hospital’s network if configured in the manner described above (using a terminal server bridge). In this way the pump is exposed to any attacker who has penetrated the hospital network. 

 

Bonus: reconnaissance

CyberMDX recreated the attack scenario using terminal servers from industry standard vendors, supplying hospitals all over the world.

In the course of recreating such an event, we further found that an attacker can manage to compromise the device even without any prior knowledge of the IP address / location of the pump. This is because  

💉
  • All terminal servers answer to a discovery signal that can be sent over the network. This grants you IP addresses for all the devices connected to the network in just a few seconds.
💉
  • Given a terminal server address, you can try to connect to its different ports, and when a connection is made  try to "handshake" with a pump using the proprietary protocol. A successful handshake will result in an active line of command and control communication opened to the syringe pump.

In this way you can find all the connected pumps in a hospital in less than a minute and with no prior knowledge about the network.

Mitigations and Recommendations

The following mitigations and compensating controls are recommended in order to reduce risk associated with this vulnerability:

      • Customers should ensure they are operating these devices in a segmented network environment or as a stand-alone device.
      • Customers should utilize connections via the Alaris™ Gateway Workstation docker, which would inactivate the remote control feature.

Credit

Elad Luz, Head of Research at CyberMDX

______________________________________________________

About CyberMDX

CyberMDX, a leading provider of medical cybersecurity, delivers zero touch visibility and threat prevention for medical devices and clinical assets. CyberMDX delivers a scalable, easy to deploy cybersecurity solution, providing unmatched visibility and protection of medical devices ensuring their operational continuity as well as patient and data safety. CyberMDX multidisciplinary team consist of veterans of Israeli Intelligence’s elite cyber units, medical devices experts, and AI academic leaders. For more information, please visit us at www.cybermdx.com