A vulnerability in the Windows CE-powered Alaris Gateway Workstation allows attackers to modify dosage rates for infusion pumps, which can have lethal results.
A critical vulnerability in the Alaris Gateway Workstation, a control system for infusion pumps manufactured by Becton, Dickinson and Company (BD) and used in hospitals, allows attackers to remotely modify the functionality of the system. The system is used to “provide mounting, power, and communication support to infusion pumps,” which are used for “a wide range of therapies including fluid therapy, blood transfusions, chemotherapy, dialysis, and anesthesia,” according to research firm CyberMDX.
The vulnerability, designated as CVE-2019-10962, is listed with a risk vulnerability of 10.0 (Critical), and permits attackers essentially full control of a device, including the ability to remotely install firmware, as the Alaris Gateway Workstation does not use cryptographically signed packages for firmware updates.
To exploit the vulnerability, an attacker would need access into a hospital network, and to have the resources to manipulate CAB files for Windows CE. According to the vulnerability description, “If an attacker is able to complete those steps, they may also utilize this vulnerability to adjust specific commands on the infusion pump, including adjusting the infusion rate on specific versions of a mounted infusion pump.”
SEE: Securing IoT in your organization: 10 best practices (free PDF) (TechRepublic)
Gaining access to a hospital network may be a challenge, though audits of hospital networks around the world have routinely found security holes, including the United Kingdom and Singapore. The Windows CE portion of this vulnerability is trivial, as the necessary SDKs are available on MSDN—or, as is often the case for Microsoft products, file-sharing networks.
CyberMDX recommends blocking use of the SMB protocol, as well as segregating VLAN networks and ensuring only appropriate users have access to the network.
A secondary vulnerability in the browser-based user interface for Alaris Gateway Workstation was discovered, potentially allowing hackers to gain access to monitoring, event logs, user guides, and configuration information, if the IP address of the terminal is known. A firmware update is available to address this vulnerability, designated as CVE-2019-10959.
The National Cybersecurity and Communications Integration Center (NCCIC) notes that “no known public exploits specifically target these vulnerabilities,” and that “the affected products are not sold in the United States.”
While most Internet of Things (IoT) vulnerabilities do not have the potential to be lethal, the relatively higher stakes that accompany connecting medical devices to the internet should greatly concern security professionals.
For more on IoT security, check out “Infographic: People still have no idea what IoT actually is,” “Only 9% of companies warn employees about IoT risks,” and the “5 biggest IoT security failures of 2018” on TechRepublic.