Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Vulnerabilities Expose BD Infusion Therapy Devices to Attacks

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

The flaws affect the Alaris Gateway Workstation, which is used for mounting, powering and communicating with infusion pumps. Specifically, the weaknesses impact devices running versions 1.1.3, 1.2, 1.3.0 and 1.3.1 of the firmware. The latest versions, 1.3.2 and 1.6.1, are not impacted.

Vulnerabilities found in BD Alaris Gateway WorkstationExploitation of the flaws could affect Alaris GS (no longer supported), GH, CC and TIVA infusion pumps running software version 2.3.6 and earlier. BD pointed out that version 2.3.6 was released back in 2006.

One of the vulnerabilities, tracked as CVE-2019-10959 and classified as “critical” with a CVSS score of 10, allows an attacker with network access to the targeted device to upload a malicious firmware to the Alaris Gateway Workstation.

The second security hole, tracked as CVE-2019-10962 and rated “high severity,” allows an attacker to access the web-based interface of the Alaris Gateway Workstation simply by knowing its IP address.

An attacker could exploit these vulnerabilities to brick the workstation device or manipulate communications with infusion pumps, which, in a worst case scenario, can be used to modify drug dosages or prevent the device from administering life-saving treatment, CyberMDX said.

CyberMDX told SecurityWeek that it’s not aware of any Alaris Gateway Workstation instances exposed directly to the internet and the company believes that the chances for that are extremely low.

“BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient’s IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker. BD has had zero reports of this issue occurring from any customer sites,” BD said in its advisory.

BD has pointed out that the vulnerable products are not sold in the United States. An advisory from the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) shows that the devices are mainly used in Europe and Asia.

Advertisement. Scroll to continue reading.

In addition to patches, BD released some recommendations for mitigating potential attacks.

Related: Flaws in Roche Medical Devices Can Put Patients at Risk

Related: Siemens Medical Products Affected by Wormable Windows Flaw

Related: Serious Vulnerabilities Found in Fujifilm X-Ray Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.