- Researchers identified a potential medical device security vulnerability in Becton, Dickinson and Company’s (BD) Alaris 8015 Point of Care (PC) unit Version 9.5, according to the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
ZingBox researchers reportedly found that an unauthorized user with physical access to one of the devices might be able to obtain unencrypted wireless network authentication credentials. The unauthorized user could then access the device’s flash memory.
“The Alaris 8015 PC unit, Version 9.7 stores wireless network authentication credentials and other sensitive technical data on internal flash memory,” ICS-CERT said in its advisory. “Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.”
Alaris 8015 PC unit, Version 9.5, as well as prior versions are affected. Alaris 8015 PC unit, Version 9.7 is also impacted, according to the advisory.
The product is also the core of the Alaris System that provides a common user interface for programming intravenous infusions, and is deployed across the healthcare industry.
“An unauthorized user with physical access to an Alaris 8015 PC unit may be able to disassemble the device to access the removable flash memory, allowing read and write access to device memory,” ICS-CERT warned. “Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device’s removable flash memory.”
BD has not yet released a fix to address the vulnerability, but the company has released “compensating controls” to reduce an exploitation risk.
Users should upgrade to the latest Alaris PC unit software to lower their risk and should also “follow procedures for clearing wireless network authentication credentials on the Alaris PCU if the device is to be removed from service or it will not be in control of institutional staff.”
Users are also advised to regularly change their wireless network authentication credentials, and should change them immediately if there is evidence of unauthorized access.
BD also advised the following steps for product users:
- Consider a security policy in which wireless credentials are not configured for the Alaris PCU if wireless networking functionality is not being utilized for operation. This will remediate the vulnerability for non-wireless users.
- Implement a policy of using tamper-evident seals on the rear access panel and on the grooves of both sides of the Alaris PCU.
- Implement Access Control Lists (ACLs) that restrict device access to specific media access control (MAC) and IP addresses, ports, protocols, and services.
In its own statement, BD explained that a limited set of ePHI elements could potentially be accessed when an unauthorized user disassembles the Alaris 8015. Patient ID, infusion parameters, past infusion history, and patient weight could be accessed by an unauthorized individual.
These ePHI elements do not uniquely identify an individual though, BD added.
“Physical access is required to exploit this vulnerability,” BD said in reference to 8015 with software version 9.5 or earlier. “Attack complexity is LOW based on availability of these wireless credentials on the PCU removable Flash card, and no system privilege is required.”
“The scope is considered unchanged as the disclosure of a password is a loss of confidentiality on the local system and subsequent attacks would be necessary to change scope,” the advisory continued. “The Network credentials are considered sensitive parameters which results in the Confidentiality impact as HIGH.”
For 8015 with software version 9.7 or later, BD explained that physical access is also required but that the attack complexity is “HIGH.”
“The attacker would have to obtain knowledge of the command interface used by the Alaris PCU,” according to the advisory. “No system privilege is required. The scope is considered unchanged as the disclosure of wireless credentials stored in the PCU’s internal flash memory is a loss of confidentiality. The Network credentials are considered sensitive parameters which results in the Confidentiality impact as HIGH.”
ICS-CERT reported on a similar medical device security vulnerability in September 2017, when it was discovered that a remote attacker could possibly gain access to Smiths Medical’s Medfusion 4000 Wireless Syringe Infusion Pump.
In that case, vulnerabilities could be remotely executed. ICS-CERT maintained that an attacker would need a high skill level to do so.
“ICS-CERT reminds organizations to perform proper impact analysis and risk assessment by examining their specific clinical use of the pump in the host environment,” the agency said. “NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities.”