Hacking these medical pumps is as easy as copying a booby-trapped file over the network
Uncle Sam sounds alarm after Windows CE SMB left wide open on hospital equipment
Two security vulnerabilities in medical workstations can exploited by scumbags to hijack the devices and connected infusion pumps, potentially causing harm to patients, the US government revealed today.
The flaws, CVE-2019-10959, rated critical (specifically, 10 out 10 in severity), and CVE-2019-10962, rated medium (7.5), were identified by infosec biz CyberMDX. The bugs affect certain versions of the Becton Dickinson’s Alaris Gateway Workstation (AGW), which provides power and network connectivity to infusion and syringe pumps. The equipment is not sold in America, though it is used across Europe and Asia.
The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory, ICSMA-19-164-01, detailing the flaws. AGW devices running the latest firmware, versions 1.3.2 and 1.6.1, are not affected; earlier iterations are however.
For the critical flaw, that includes: 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, and 1.3.1 Build 13. For the medium flaw, affected versions include: 1.0.13, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.1.5, and 1.1.6.
Beyond AGW hardware running older firmware, several other Alaris devices – GS, GH, CC and TIVA – running software version 2.3.6, released in 2006, are also affected.
An attacker successfully exploiting the critical flaw could remotely install malicious firmware, thereby disabling the workstation or altering its function.
Docs ran a simulation of what would happen if really nasty malware hit a city's hospitals. RIP :(READ MORE
To do so, the attacker would first need access to the hospital network. Given that hospitals and healthcare organizations run out of date operating systems and software, and are routinely ransacked by ransomware, this shouldn't be too much of a stretch.
Next, the intruder crafts a Windows Cabinet file (CAB), an archive format used for storing data related to Microsoft Windows drivers and system files, that is booby-trapped with malicious executables.
Here's the heart of the vulnerability: it is possible to update an AGW's firmware over the network without any special privileges or authentication; you just have to copy across a CAB file using Windows SMB. That means the hacker can upload their malicious .CAB to a vulnerable workstation, powered by Windows CE, and the archive will be unpacked by the AGW on its file system, overriding its executables with the intruder's malware or spyware.
Recommended mitigations including blocking the SMB protocol, segregating the VLAN network, and taking steps to limit who has access to the hospital network.
In an advisory on its website, device maker Becton Dickinson said, "BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient's IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker."
The other less serious flaw affects could allow an attacker with knowledge of the IP address of the device to access information through its browser interface, including monitoring data, event logs, user guide and configuration settings.
This browser interface issue can be mitigated through the installation of firmware versions 1.3.2 or 1.6.1. Limiting and segmenting network access are also advisable.
In an emailed statement, Elad Luz, Head of Research at CyberMDX, stressed the need of everyone involved with medical devices – device makers, hospitals, and technology companies – to commit to cybersecurity in order to ensure patient safety. ®