Alerts: Some BD Infusion Pumps Vulnerable to Remote AttacksFlaws Are a Reminder of Common Legacy Medical Device Security Risks
Medical device vendor Becton Dickinson and U.S. federal regulators have issued security alerts about vulnerabilities that potentially put certain infusion pump products from the manufacturer at risk for remote hacker attacks.
On Thursday, Becton Dickinson and the Department of Homeland Security's Industrial Control System Computer Emergency Response Team each issued security alerts about vulnerabilities in certain BD Alaris Gateway Workstations.
The vulnerabilities, which DHS described in its advisory as involving "improper access control" and also "unrestricted dangerous file upload" during firmware updates, were recently identified by researchers at CyberMDX, the alerts note.
A BD spokesman tells Information Security Media Group that there is no evidence that the vulnerabilities have been exploited.
The affected products are not sold or used in the U.S.
The BD spokesman tells ISMG that the largest concentration of the affected devices are in Germany, the United Kingdom, Italy, the Netherlands and Spain. "No country has more than 3,000 devices," he says.
"There are about 50 countries that use this pump, but 20 of those countries have fewer than 10 units in the entire country and only eight countries have more than 1,000 devices," he says. "The countries span the globe, but the vast majority are in Europe. In addition, this is not the most widely used BD infusion system. The vast majority of BD infusion products are not affected by this disclosure."
"Regardless of where this specific product is sold, we feel this is a stark reminder that hospitals and device manufacturers must remain vigilant in protecting their connected medical devices."
—Elad Luz, CyberMDX
Elad Luz, head of research at CyberMDX, the firm that identified the Alaris Gateway Workstation flaws, tells ISMG that the kinds of problems found in the products are alarming.
"Regardless of where this specific product is sold, we feel this is a stark reminder that hospitals and device manufacturers must remain vigilant in protecting their connected medical devices," Luz says.
DHS issued one alert for both types of vulnerabilities identified, but BD issued two separate alerts - one for the unauthorized access vulnerability and another for the unauthorized firmware problem .
"Exploitation of these vulnerabilities could allow unauthorized arbitrary code execution, which could allow an attacker to view and edit device status and configuration details as well as cause devices to become unavailable," DHS says in its alert.
Unauthorized Firmware Flaw
In its alert about the unauthorized firmware vulnerability, BD says if exploited, this vulnerability may allow an attacker to remotely install unauthorized firmware.
"In order to access this vulnerability, an attacker would need to gain access to a hospital network, have intimate knowledge of the product, be able to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE," the alert notes.
"If an attacker is able to complete those steps, they may also utilize this vulnerability to change the scope to adjust commands on the infusion pump, including adjust the infusion rate on specific mounted infusion pumps," BD says.
"In addition, to exploit the vulnerability on the workstation, an attacker would need to create an executable with custom code that can run in the Windows CE environment, understand how the internal communication protocols are utilized within the product and create a specific installer for the CAB file, with settings required to run the program. Adjusting the change in scope is difficult to exploit."
Lack of Authentication
In the vulnerability involving the web browser user interface's lack of authentication, "a malicious attacker would need to gain access to the hospital's internal network - at minimum, acquiring an IP on the subnet - for this attack to be successful," BD notes in that alert.
"For this reason, we anticipate the attacker to have elevated privileges; however, the web browser user interface does not require authentication and therefore privileges are not required," the company says.
"A successful attack would involve compromise of system integrity, due to the risk of modification of network settings, and system/data availability, if an attacker pushes the workstation into a reboot cycle. Pump information, such as model information and software version, is not deemed to be sensitive data; however, data confidentiality is impacted as status, logging, network and configuration information are viewable and offer the ability to modify parameters."
Luz of CyberMDX tells ISMG that if the vulnerabilities were to be remotely exploited, "a hacker can alter infusion rates, increasing and decreasing dosage. It also would be possible to stop infusion. Both scenarios would have a direct impact on a patient's health."
In addition, certain pump alerts can be silenced, thereby rendering built-in safety measures useless, he contends. "High impacts to system and data integrity and availability exist as complete or partial disabling of the gateway is possible. This is why the [firmware] vulnerability was given a vulnerability score of 10," by DHS, he says. That's the highest score for a vulnerability on the National Institute of Standards and Technology's Common Vulnerability Scoring System.
The authentication weakness was given a CVSS score of 7.3, according to the DHS alert.
The BD spokesman notes that the device maker has "a voluntary, proactive vulnerability disclosure process" to ensure its customers are aware of any potential vulnerabilities and the compensating controls to mitigate them.
"With respect to the Alaris Gateway [firmware vulnerability] disclosure, resulting from a previously disclosed Windows vulnerability affecting the Windows CE operating system, the vulnerability only affects Alaris Gateway Workstations that have not been updated with one of the latest firmware versions - version 1.6.1 released in April 2018 or version 1.3.2 released February 2019," he says.
In order for a malicious attacker to alter a pump's infusion parameters, many prerequisites are required, including access to the hospital network, intimate knowledge of the product and the ability to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE, he says.
"The external security research firm was not able to replicate the manipulation of infusion parameters, and there have been no reported exploits of this vulnerability," he adds.
The vulnerability is fully corrected by updating the Alaris Gateway Workstation to the latest firmware, which is readily available, and for those who do not update their firmware, BD will provide a software patch within 60 days, he says.
Infusion Pump Woes
BD isn't the only medical device vendor that's had security issues involving infusion pump products.
"Legacy medical devices have so many vulnerabilities that researchers can't feasibly announce all of them."
—Ben Ransford, Virta Labs
For example, in 2015, the Food and Drug Administration issued a safety communication advising healthcare providers to stop using the Hospira Symbiq Infusion System, Version 3.13 or older due to cybersecurity vulnerabilities.
"Security researchers focus on infusion pumps because they are plentiful devices that work directly on patients worldwide," notes Ben Ransford, president of healthcare cybersecurity firm Virta Labs.
"Legacy medical devices have so many vulnerabilities that researchers can't feasibly announce all of them. The barrel is overstocked with fish. Companies that want to sell security software to struggling hospitals could easily stockpile vulnerabilities and continue a basal drip of announcements for decades," he contends.
"Medical device manufacturers shouldn't sit around waiting passively for researchers to report vulnerabilities to them. They also need to take an active role and fix low-hanging fruit."
The lack of authentication is one of the most common design flaws found in medical devices, Luz says.
"Legacy devices, deprecated and unpatched software, security misconfigurations and the usage of insecure medical protocols are certainly a serious issue," he says. "On average, each hospital bed is connected to approximately six to 10 medical devices. Multiply that by the number of beds in large healthcare organizations in order to get a sense of the scope of what we are dealing with."
Legacy infrastructure built out over many years often means a patchwork of systems, networks and technologies that have been joined together - causing problems like the recent vulnerability CyberMDX discovered, he adds.
"Most medical equipment has a long lifetime, meaning older products have few, if any, cybersecurity features, and different assets 'play by different rules.' With machines running outdated software versions and many lacking important after-market security patches all being bridged into the same network, the potential for infection is huge."