Security

Hacking these medical pumps is as easy as copying a booby-trapped file over the network

Uncle Sam sounds alarm after Windows CE SMB left wide open on hospital equipment


Two security vulnerabilities in medical workstations can exploited by scumbags to hijack the devices and connected infusion pumps, potentially causing harm to patients, the US government revealed today.

The flaws, CVE-2019-10959, rated critical (specifically, 10 out 10 in severity), and CVE-2019-10962, rated medium (7.5), were identified by infosec biz CyberMDX. The bugs affect certain versions of the Becton Dickinson’s Alaris Gateway Workstation (AGW), which provides power and network connectivity to infusion and syringe pumps. The equipment is not sold in America, though it is used across Europe and Asia.

The US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory, ICSMA-19-164-01, detailing the flaws. AGW devices running the latest firmware, versions 1.3.2 and 1.6.1, are not affected; earlier iterations are however.

For the critical flaw, that includes: 1.1.3 Build 10, 1.1.3 MR Build 11, 1.2 Build 15, 1.3.0 Build 14, and 1.3.1 Build 13. For the medium flaw, affected versions include: 1.0.13, 1.1.3 Build 10, 1.1.3 MR Build 11, 1.1.5, and 1.1.6.

Beyond AGW hardware running older firmware, several other Alaris devices – GS, GH, CC and TIVA – running software version 2.3.6, released in 2006, are also affected.

An attacker successfully exploiting the critical flaw could remotely install malicious firmware, thereby disabling the workstation or altering its function.

Docs ran a simulation of what would happen if really nasty malware hit a city's hospitals. RIP :(

READ MORE

To do so, the attacker would first need access to the hospital network. Given that hospitals and healthcare organizations run out of date operating systems and software, and are routinely ransacked by ransomware, this shouldn't be too much of a stretch.

Next, the intruder crafts a Windows Cabinet file (CAB), an archive format used for storing data related to Microsoft Windows drivers and system files, that is booby-trapped with malicious executables.

Here's the heart of the vulnerability: it is possible to update an AGW's firmware over the network without any special privileges or authentication; you just have to copy across a CAB file using Windows SMB. That means the hacker can upload their malicious .CAB to a vulnerable workstation, powered by Windows CE, and the archive will be unpacked by the AGW on its file system, overriding its executables with the intruder's malware or spyware.

Recommended mitigations including blocking the SMB protocol, segregating the VLAN network, and taking steps to limit who has access to the hospital network.

In an advisory on its website, device maker Becton Dickinson said, "BD has assessed the change in scope to this vulnerability for clinical impact and concluded that although the probability of remotely exploiting the vulnerability to the Workstation and then creating a custom, executable code that impacts the delivery of a patient's IV infusion is theoretically possible, the probability of patient harm is unlikely to occur due to the sequence of events that must occur in a specific order by a highly trained attacker."

The other less serious flaw affects could allow an attacker with knowledge of the IP address of the device to access information through its browser interface, including monitoring data, event logs, user guide and configuration settings.

This browser interface issue can be mitigated through the installation of firmware versions 1.3.2 or 1.6.1. Limiting and segmenting network access are also advisable.

In an emailed statement, Elad Luz, Head of Research at CyberMDX, stressed the need of everyone involved with medical devices – device makers, hospitals, and technology companies – to commit to cybersecurity in order to ensure patient safety. ®

Send us news
34 Comments

ZenHammer comes down on AMD Zen 2 and 3 systems

Boffins demonstrate Rowhammer memory meddling on AMD DDR4 hardware

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

'Thousands' of businesses at mercy of miscreants thanks to unpatched Ray AI flaw

Anyscale claims issue is 'long-standing design decision' – as users are raided by intruders

Majority of Americans now use ad blockers

We're dreaming of a white list, because we're just like the ones you used to know