Hackers exploit vulnerability to maliciously alter medical devices

Cybersecurity services specialists report the discovery of two vulnerabilities in Windows CE-operated Alaris Gateway workstations that support infusion pumps; according to the reports, if these flaws are exploited they could allow a remote threat actor to disable one of these pumps, inject malware, modify the information or even alter the dose of medication that these devices must administer to a patient.

Alaris Gateway workstations are manufactured by Becton, Dickinson and Company and are widely used in hospitals in at least 30 countries in Asia and Europe, a company spokesman reports. These workstations are used in various medical operations, such as fluid therapy, blood transfusions, chemotherapy, dialysis, etc.

The vulnerabilities were detected by cybersecurity services specialists at CyberMDX Research Center; the manufacturer subsequently confirmed the existence of safety failures.

The first of these flaws, tracked as CVE-2019-10959, exists in the workstation firmware and, if exploited, could allow a malicious user to upload arbitrary files during the firmware update process. In the report, cybersecurity experts say the hacker must first access the hospital network to collect the information needed to exploit the vulnerability. “If the hacker manages to explode the flaw, they could modify the scope of the infusion pumps or modify the amount of medication supplied”, the experts added.

The second vulnerability, tracked as CVE-2019-10962, affects the workstation web management console; risk increases since authentication credentials are not required to access this instance. “Anyone who knows the IP address of a workstation could monitor the status of an infusion pump or access the activity log and even restart the device”.

According to researchers from the International Institute of Cyber Security (IICS), the vulnerability affects workstations operating with firmware versions 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, and1.3.1 Build 13. As a security measure, the company recommends that system administrators upgrade their deployments to firmware versions 1.3.2 or 1.6.1, as well as blocking the SMB protocol to ensure that only authorized personnel have access to the hospital network.