Cyber vulnerabilities found in two major medical devices

Cyber-security provider to the healthcare sector, CyberMDX, says it has discovered two security vulnerabilities found in commonly used medical devices: Becton Dickinson (BD)’s Alaris TIVA syringe pump and Qualcomm Life Capsule’s Datacaptor Terminal Server (DTS).

Working closely with both vendors, CyberMDX says the vulnerabilities have been publicly disclosed via ICS-CERT.

CyberMDX found a potential vulnerability in the BD Alaris TIVA syringe pump with software version 2.3.6 and below that is sold and used outside of the U.S.

Through CyberMDX’s research, the team discovered that if a malicious attacker can gain access to a hospital’s network and if the Alaris TIVA syringe pump is connected to a terminal server, the attacker can perform hacks without any prior knowledge of IP addresses or location of the pump.

The attack could lead to unauthorised start/stop of the pump and/or unauthorised changes in the rate of infusion.

More information about the potential vulnerability, classified as a CVSS 9.4 (critical), is available from the ICS-CERT advisory (ICSMA-18-235-01).

CyberMDX says it worked closely with the product security team at BD.

Qualcomm Life Capsule's Datacaptor Terminal Server (DTS) is a medical gateway device used by hospitals to connect their medical devices to the network. The gateway is typically used to connect bedside devices such as monitors, respirators, anesthesia, and infusion pumps, and like many other IoT devices, the DTS has a web management interface used for remote configuration, based on Allegrosoft RomPager.

The CyberMDX research team found that interacting with the web management using the "Misfortune Cookie" vulnerability, which hands out a crafted HTTP cookie to the device, resulted in an arbitrary write to its memory. This action can be performed with no authentication and the arbitrary write may be used to login without credentials, gain administrator-level privileges on the terminal server, or simply crash them. This may result in harm to the device availability as well as the network connectivity of the serial medical devices connected to it.

Although the Misfortune Cookie vulnerability has been publicly known for four years, prior to this disclosure, there was no awareness of it in this instance.

After collaboration with Qualcomm Life Capsule, CyberMDX recommended users to immediately update the DTS devices to their latest firmware version to overcome the vulnerability. Qualcomm Life worked quickly to validate the vulnerability, provide a workaround and an update to the firmware, and notify customers, according to CyberMDX.

More information about the potential vulnerability, classified as a CVSS 9.8 (critical), is available from the ICS-CERT advisory (ICSMA-18-240-01).

“Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety,” said Elad Luz, Head of Research at CyberMDX. “We are a catalyst for change in the healthcare industry by focusing our research capabilities solely on medical devices. Our research team is committed to ensuring patient safety by tirelessly working closely with hospitals and manufacturers to improve the security and resiliency of connected medical devices at hospitals worldwide.”