Healthcare devices used to administer drugs could be exploited to alter dosage rates

Vulnerabilities in a line of medical infusion pumps used globally could allow attackers to hijack and remotely interfere with the devices, researchers have warned.

Security flaws were discovered in the Becton Dickinson Alaris Gateway Workstation (AGW) – a device used to mount, power, and communicate with infusion pumps, and one which is used by hospitals across Europe and Asia.

Infusion pumps are used to administer and regulate the dispensing of fluids such as painkillers or other drugs, and are also used during chemotherapy sessions.

Researchers at healthcare security firm CyberMDX have found that certain unpatched versions of the AGW units are vulnerable to remote attack – and in the worst-case scenario, this could enable miscreants to alter infusion dosages.

The first vulnerability – CVE-2019-10959 – relates to an “unrestricted upload of file with dangerous type bug”, which was confirmed by the US ICS-CERT and assigned the highest severity rating of 10.0.

The security flaw could allow a malicious actor to remotely install dangerous versions of firmware onto the device’s onboard computer.

A second bug in the web browser user interface could allow an attacker to access the status and configuration of the device via the hospital’s network.

The vulnerability – CVE-2019-10962 – relates to an improper access control bug and was given a less severe rating of 7.3.

Affected versions of the device can be found in the ICS-CERT release. The latest versions are not vulnerable.

Exploit chain

Combined, these bugs could be used by attackers to alter the dosage or speed of infusion, display inaccurate results, or knock the devices offline, researchers warned.

In order to perform the attacks, a number of steps do have to be fulfilled. For example, the attacker would need to know the hospital’s IP address, have working knowledge of the device, and be able to access to the healthcare facility’s network.

Elad Luz, head of research at CyberMDX, told The Daily Swig: “In order to exploit the firmware vulnerability, a hacker would need access to the hospital network, but not the physical device itself. As long as the hacker could gain access to the hospital’s network, he or she could be sitting anywhere in the world.

“For the web management vulnerability, there is no patient information at risk, but rather the hacker could gain access to the device and view dose amounts and medication types of the pumps docked on the AGW.

“The hacker could also change network settings of the device and even perform a reset for the AGW, however, these should not affect the operation of the pumps. The firmware vulnerability on the other hand has the potential of controlling the pumps.”

A spokesperson for the vendor told The Daily Swig that affected devices are not sold in the US, where the company is based.

They also said that the vulnerabilities do not affect the majority of Becton Dickinson (BD) infusion pumps, but would not confirm the number of vulnerable devices for “competitive reasons”.

“In addition, the vulnerability is fully corrected by updating the Alaris Gateway Workstation to the latest firmware, which is readily available, and for those who don’t update their firmware, BD will provide a software patch within 60 days,” said Troy Kirkpatrick, senior director of public relations.

Insecure gateways

Though the numerous steps needed to carry out this attack may lessen the real-world implications, this latest research once again calls to attention the threats posed by internet-connected healthcare devices.

Jelena Milosevic, a Netherlands-based paediatric nurse and security campaigner, told The Daily Swig that the healthcare industry isn’t doing enough to ensure that IoT devices are safe to use.

She said: “A quote I saw on Twitter recently said, ‘We build our computer systems the way we build our cities – over time, without a plan, on top of ruins’, and that’s exactly the same for healthcare systems and healthcare security therein.”

Milosevic said that the trend for connecting medical devices to the internet is putting patients’ lives at risk – and that both the manufacturers and hospitals should be held accountable for security.

“No one is checking, do we really need it?” she said.

“In my opinion I don’t see the reason to connect those or most [devices] to the internet. What’s so important that it could [justify] that risk?”

Suggested mitigations to protect against CVE-2019-10962 include updating the firmware to the latest version 1.3.2, or 1.6.1 and isolating networks from untrusted systems.

To protect against CVE-2019-10959, BD recommends that users block the SMB protocol, segregating the VLAN network, and only allow “appropriate associates” to access the network.