Alaris Gateway Workstation
Vulnerabilities found in infusion pump firmware
June 18, 2019
by John R. Fischer
, Senior Reporter
Becton, Dickinson and Company (BD) has disclosed the discovery of cybersecurity vulnerabilities found within firmware used to manage its Alaris Infusion Pumps.
Discovered by cybersecurity research and analysis team, CyberMDX, the vulnerabilities were found within the Alaris Gateway Workstation (AGW), which provides mounting, power, and communication support to infusion pumps, and the web browser user interface of the AGW.
“Ensuring the safety and quality of our products is the top priority at BD, which is why we have a voluntary, proactive vulnerability disclosure process to ensure our customers are aware of any potential vulnerabilities and the compensating controls to mitigate them,” Troy Kirkpatrick, company spokesperson, told HCB News. “In this regard, with respect to the Alaris Gateway disclosure, resulting from a previously disclosed Windows vulnerability affecting the Windows CE operating system, the vulnerability only affects Alaris Gateway Workstations that have not been updated with one of the latest firmware versions.”
While no harm or patient exploitation took place, such risks create the potential for malicious attacks, including ones that disable devices, install malware, report false information, and in extreme cases, manipulate pumps to alter drug dosage and infusion rates.
Following independent testing and validation, BD tested for and confirmed the vulnerabilities itself, and worked with the U.S. Department of Homeland Security (DHS) and CyberMDX to assess the extent of the risk posed. The vulnerability within the Alaris Gateway firmware earned a CVSS (Common Vulnerability Scoring System) critical risk score of 10.0, while the one within the Web Browser User Interface was scored at 7.3. The remote nature and high impact of attack earned the firmware vulnerability a severity score of 10 out of 10.
However, manipulating dose or infusion rates is difficult, and took BD engineers with intimate product knowledge weeks to confirm that such situations were possible. The vulnerabilities also poses no danger to U.S. hospitals and patients since the Alaris Infusion pump is not used there.
“In order for a malicious attacker to alter a pump's infusion parameters, many prerequisites are required, including access to the hospital network, intimate knowledge of the product and the ability to update and manipulate a CAB file, which stores files in an archived library and utilizes a proper format for Windows CE,” said Kirkpatrick. “The external security research firm was not able to replicate the manipulation of infusion parameters, and there have been no reported exploits of this vulnerability. Because the vulnerability is limited to a single BD infusion system offering that is not sold in the U.S., this disclosure does not apply to the majority of BD infusion systems.”
Updated versions of the firmware released in April 2018 and in February 2019 — before the vulnerabilities were detected — are available, and eliminate the security flaws. Those who choose not to update will have access to a patch within 60 days. BD advises users to block the SMB protocol, segregate their VLAN network, and ensure that only appropriate associates can access the customer network.
CyberMDX suggests that device manufacturers follow proper guidelines to plug up any potential risks for breach.
"Device manufacturers should follow SDL methodology (Security Development Life cycle) which addresses embedding security considerations in every step of the product development process — design, development, QA, aftermarket," Elad Luz, head of research at CyberMDX, told HCB News. "When this methodology is followed, questions concerning authorization would be addressed early in the development stage."