- The Department of Homeland Security National Cybersecurity and Communications Integration Center released two advisories on Tuesday, notifying the healthcare sector of vulnerabilities in Stryker medical beds and Becton, Dickinson (BD) FACSLyric Cytometry Solutions.
The wireless-enabled Stryker Secure II MedSurg Bed, S3 MedSurg Bed, and InTouch ICU Bed suffer from the KRACK vulnerability, which is an industry-wide flaw in the WPA and WPA2 protocol discovered by researchers in 2017. According to the alert, the four-way handshake traffic in these protocols could be manipulated to allow nonce reuse – causing key reinstallation.
As a result, the flaw could let a hacker launch a man-in-the-middle attack, giving a cybercriminal within radio range the ability to replay, decrypt, or spoof frames. Officials said the flaw could also cause reinstallation of the group key and integrity group temporal key (IGTK) during the four-way handshake.
Further, the flaws could also allow reinstallation of the group key and IGTK during the group handshake, along with reinstallation of the pairwise transient key during the BSS transmission handshake and the reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key during the TDLS handshake, among others. Officials said the vulnerability is not known to have been exploited.
Stryker released patches for the impacted medical beds to mitigate the KRACK flaws. However, there are no patches available for Gateway 1.0. Officials recommended organizations take additional security measures to minimize the risk of exploitation and stressed that all new releases of its wireless products will include the patch.
Specifically, the iBed wireless function can be disabled, if deemed unnecessary by the IT team. Officials also recommended segmenting these products on a separate VLAN, where possible.
“As an extra precaution, ensure the latest recommended updates (which includes the KRACK patch) for Wi-Fi access points, have been implemented in Wi-Fi enabled networks,” officials wrote.
“S3 Products shipped as of November 7, 2018 and InTouch products shipped as of July 9, 2018 included the patch. New wireless activations include software addressing this vulnerability,” officials told HealthITSecurity.com in an email.
NCCIC officials added that organizations should minimize the exposure risk to all control system devices to make sure they’re not accessible from the internet. IT should also locate and isolate control system networks and remote devices behind firewalls.
“When remote access is required, use secure methods, such as Virtual Private Networks, recognizing that VPNs may have vulnerabilities and should be updated to the most current version available,” NCCIC officials wrote. “Also recognize that VPN is only as secure as the connected devices.”
“NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures,” they added.
BD FACSLyric Cytometry Solutions
NCCIC also released an advisory around a vulnerability found in BD FACSLyric Cytometry Solutions that would only take a low-level skill to exploit. Officials noted that FACSLyric flow cytometry systems using the Windows 7 Operating System are not impacted by the flaw.
According to the notice, the system does not properly enforce user access controls for a privileged account that could give a hacker access to administrative-level privileges on a workstation.
“Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to administrative level privileges on a workstation, which could allow arbitrary execution of commands,” NCCIC officials wrote.
BD will notify all impacted users to remediate this flaw and will disable the administrative account for the FACSLyric RUO Cell Analyzer units operating on Windows 10 Pro. Further, BD has contacted the BD FACSLyric IVD cell analyzer customer and will replace workstations for their three devices.
NCCIC officials recommended that users bolster defensive measures to reduce the risk of exploitation including minimizing network expose for all medical devices and systems, locating medical devices behind the firewall and isolating them if possible, and restricting access to authorized personnel and following a least privilege method.
Further, NCCIC advocated for defense-in-depth strategies, while organizations must disable unnecessary accounts and services.
“Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents,” officials wrote. “No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.”