BD Alaris Plus Medical Syringe Pumps Vulnerability Identified

Th BD Alaris Plus medical syringe pumps has a crucial wirelessly exploitable vulnerability. When linked to a terminal server through the serial port, the medical syringe pump could be exploited by a threat actor who can change the supposed work of the syringe pump.

The vulnerability is an incorrect authentication flaw. The software program falls flat to execute authentication for operation that demands a provable user ID.

Elad Luz of CyberMDX discovered the vulnerability and informed Becton, Dickinson and Company (BD). BD voluntarily said to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and the National Cybersecurity & Communications Integration Center about the flaw. ICS-CERT released a bulletin concerning the flaw on August 23, 2018.

Alaris Plus medical syringe pumps having version 2.3.6 of and earlier versions, in particular the Alaris GS, Alaris GH, Alaris CC, and Alaris TIVA products, are impacted by the flaw. The vulnerability has a designated a CVSS v3 rating of 9.4 and is being monitored as CVE-2018-147.

BD mentioned that the flaw is not impacting any products being purchased in the U.S. All present models of Alaris Plus pumps have no flaw. Vulnerable products were earlier marketed in the EU.

A threat actor is unable to exploit the flaw when the device is linked to the Alaris Gateway Workstation docking station since the remote-control function is not active while the unit is linked to the docking station.

When the device isn’t turned on it can’t be started up remotely. BD likewise remarked that when exploiting the vulnerability PII or PHI cannot be viewed.

BD stated that an attack uses a known flaw in terminal servers. Using a device having terminal servers isn’t supported. To lower the probability for the vulnerability to be taken advantage of, all users were instructed to operate the impacted pumps as stand-alone products or otherwise they must be utilized in a segmented network setting.

The ICS-CERT announcement remarks that threat actors having a low-level skill could exploit the flaw. However in accordance with BD, so as to perform an attack, these conditions should be met:

  • the device should be linked to a terminal server through a serial port
  • the attacker need to know the device communication protocol
  • the attacker has access to certain driver software to execute the pump protocol communication
  • the attacker could permeate a customer network and access the terminal server devices

Considering that these things are required to take advantage of the flaw, the possibility of an unapproved breach in network security which affects the service of a patient’s IV infusion is minimal.