Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Vulnerabilities Expose BD Infusion Therapy Devices to Attacks

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

CyberMDX, a research and analysis company specializing in medical device security, on Thursday revealed that its employees identified two serious vulnerabilities in infusion therapy products from medical technology firm BD.

The flaws affect the Alaris Gateway Workstation, which is used for mounting, powering and communicating with infusion pumps. Specifically, the weaknesses impact devices running versions 1.1.3, 1.2, 1.3.0 and 1.3.1 of the firmware. The latest versions, 1.3.2 and 1.6.1, are not impacted.

Vulnerabilities found in BD Alaris Gateway WorkstationExploitation of the flaws could affect Alaris GS (no longer supported), GH, CC and TIVA infusion pumps running software version 2.3.6 and earlier. BD pointed out that version 2.3.6 was released back in 2006.

One of the vulnerabilities, tracked as CVE-2019-10959 and classified as “critical” with a CVSS score of 10, allows an attacker with network access to the targeted device to upload a malicious firmware to the Alaris Gateway Workstation.

The second security hole, tracked as CVE-2019-10962 and rated “high severity,” allows an attacker to access the web-based interface of the Alaris Gateway Workstation simply by knowing its IP address.

An attacker could exploit these vulnerabilities to brick the workstation device or manipulate communications with infusion pumps, which, in a worst case scenario, can be used to modify drug dosages or prevent the device from administering life-saving treatment, CyberMDX said.

CyberMDX told SecurityWeek that it’s not aware of any Alaris Gateway Workstation instances exposed directly to the internet and the company believes that the chances for that are extremely low.

“BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient’s IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker. BD has had zero reports of this issue occurring from any customer sites,” BD said in its advisory.

BD has pointed out that the vulnerable products are not sold in the United States. An advisory from the DHS’s National Cybersecurity & Communications Integration Center (NCCIC) shows that the devices are mainly used in Europe and Asia.

Advertisement. Scroll to continue reading.

In addition to patches, BD released some recommendations for mitigating potential attacks.

Related: Flaws in Roche Medical Devices Can Put Patients at Risk

Related: Siemens Medical Products Affected by Wormable Windows Flaw

Related: Serious Vulnerabilities Found in Fujifilm X-Ray Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.