The DHS Industrial Control Systems Cyber Emergency Response Team, acting on weaknesses unearthed by researchers at CyberMDX, said the vulnerabilities could allow a malicious attacker to completely disable BD’s Alaris Gateway Workstation and install malware or report false information. The attacker could also exploit the flaw to communicate directly with the pumps to change drug dosages and infusion rates, ICS-CERT said.
DHS issued an advisory in August 2018 warning consumers that the Alaris syringe pumps could be hacked when connected to a terminal server. The company said at the time that that vulnerability could not be exploited if it was connected to an Alaris Gateway Workstation.
CyberMDX researchers said that the Alaris Gateway Workstations are vulnerable to a new exploit that could remotely manipulate firmware files. No special privileges are needed to execute the attack, meaning hackers can freeze the system until it is repaired by the manufacturer. A hacker could also use the gateway to prevent the administration of life-saving treatment and alter intended drug dosages.
CyberMDX and the U.S. Department of Homeland Security tested and validated the vulnerabilities before being confirmed by BD. The Alaris Gateway firmware was found to have a Common Vulnerability Scoring System (CVSS) risk score of 10.0 (critical). The vulnerability in the system’s web browser user interface of the workstation had a CVSS risk score of 7.3 (high).
“Identifying, quantifying and prioritizing medical device security vulnerabilities requires constant vigilance. Our goal is to discover and help remedy critical vulnerabilities before they are exploited to adversely affect patient care,” Elad Luz, head of research at CyberMDX, said in a press release. “The onus for medical device security lies across all stakeholders – the device manufacturers, healthcare providers and technology companies — and CyberMDX’s cybersecurity research team is committed to working with all these parties to make hospitals safer and medical equipment more reliable.”
Alaris Gateway Workstations offer mounting, power and communication support to infusion pumps, which are used in a number of therapies, including fluid therapy, blood transfusions, chemotherapy, dialysis and anesthesia.
The company’s firmware vulnerability was given a severity score of 10 out of 10.
BD recommended using the latest firmware versions 1.3.2 or 1.6.1 for the Alaris Gateway Workstation Web Browser User Interface vulnerability. The company also suggested that users should make sure only appropriate associates can access their network and users should isolate their networks from untrusted systems. BD recommended blocking the SMB protocol and segregate their VLAN network for the Alaris Gateway Workstation Dangerous File Upload vulnerability.