The U.S. Dept. of Homeland Security issued an advisory this week, warning consumers that BD’s (NYSE: BDX) Alaris syringe pumps can be hacked via a vulnerability that gives a remote attacker unauthorized access to the device when it is connected to a terminal server.
BD determined that the affected products are not sold within the U.S., a spokesman told Drug Delivery Business News, noting that the issue only affects older models used outside the U.S.
“BD no longer sells any of these pumps, and any syringe pump we currently sell is not affected by this vulnerability. In addition, this vulnerability only exists when pumps are connected to a terminal server, which is not recommended by BD,” the spokesman told us.
The devices – Alaris GS, Alaris GH, Alaris CC and Alaris TIVA – include software that does not “perform authentication for functionality that requires a provable user identity,” the DHS wrote. The vulnerability was discovered by Elad Luz of CyberMDX and BD reported the problem to DHS’ Industrial Control Systems Cyber Emergency Response Team.
The vulnerability cannot be exploited if the device is connected to an Alaris Gateway Workstation, BD said, and a hacker cannot remotely turn on a device. To reduce the risk associated with this vulnerability, BD recommended that users operate the pumps in a segmented network environment or as a stand-alone device.
The company also noted that users should use connections via the Alaris Gateway Workstation, which would turn off the remote control feature.
The NCCIC recommended that users use secure methods, like a virtual private network (VPN), if they need to use the remote access feature of the pump. But, the group cautioned that “VPN is only as secure as the connected devices.”