An array of medication-management systems from Becton Dickinson (NYSE: BDX) are vulnerable to the industry-wide KRACK key-reinstallation cyber attack, according to the company and to the Dept. of Homeland Security.
The glitch, which was first reported last year, is a vulnerability in the WPA2 protocol for securing Wi-Fi that can imperil the confidentiality and integrity of communication between a Wi-Fi access point and an enabled client, such as a computer, phone or other gear – even if the data is encrypted.
If a hacker successfully exploited this vulnerability, they could gain access to encrypted data like patient records, according to a notice from the DHS’ Industrial Control Systems Cyber Emergency Response Team.
“An industry-wide vulnerability exists in the WPA and WPA2 protocol affected by the Key Reinstallation Attacks known as KRACK. The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol can be manipulated to allow nonce reuse resulting in key reinstallation. This could allow an attacker to execute a ‘man-in-the-middle’ attack, enabling the attacker within radio range to replay, decrypt, or spoof frames,” the ICS-CERT wrote.
BD noted that accessing devices through the KRACK vulnerability is highly complex and requires physical proximity to an affected Wi-Fi access point and client.
The company has implemented third-party vendor patches in an attempt to resolve the devices’ vulnerabilities, but customers should ensure that data has been backed up and that appropriate physical controls are in place to stop attackers from coming within range of an affected Wi-Fi access point, BD recommended.
“There is currently no reported verified instance of the KRACK vulnerability being exploited maliciously against BD devices,” the company added.