Certain Becton Dickinson Products at Risk for 'KRACK' FlawRegulators Issue Warning; Vendor Implementing Patch Plan
A dozen medication and supply management products from Becton Dickinson and Co. are vulnerable to flaws identified last year in the Wi-Fi Protected Access 2, or WPA2, protocol, putting the products at risk for so-called KRACK (or key reinstallation) attacks, according to a federal advisory. Such attacks can potentially lead to malware infections.
The alert from the Department of Homeland Security's Industrial Control Cyber Emergency Response Team is based on BD reporting to DHS that KRACK vulnerabilities may affect some versions of the vendor's Pyxis medication and supply management products.
The ICS-CERT alert follows a bulletin BD issued last month updating a disclosure the company released in October 2017 about the KRACK vulnerability potentially impacting some of its products, as well as "any Wi-Fi devices that use the WPA2 protocol."
At the time of the October disclosure, the company said it was "monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity and availability of communication between a Wi-Fi access point and a Wi-Fi-enabled clients."
The updated BD advisory is "a voluntary disclosure intended to help healthcare providers understand what equipment employs the WPA2 protocol and notify them that we have deployed the necessary patches to their equipment," a company spokesman tells Information Security Media Group.
"BD devices are no more vulnerable to this issue than any other device or computer that uses WPA2 protocol," he adds.
Successful exploits allow an attacker to gain man-in-the-middle access to communications and potentially inject malicious data, including malware or ransomware, Vanhoef says.
Regarding the impacted BD products, ICS-CERT warns that successful exploitation of the KRACK vulnerability "could allow data traffic manipulation, resulting in partial disclosure of encrypted communication or injection of data"
Vanhoef's research found that an array of devices that connect to Wi-Fi networks are vulnerable to KRACK, including Android, Linux, Apple, Windows, and Linksys products. In recent months, multiple vendors, including Apple, Google, Linksys and Microsoft, have issued KRACK vulnerability patches.
In its recently updated alert about the vulnerabilities, BD says many of its third-party suppliers of technology used in the affected products have issued patches, which BD has implemented through the company's "routine patch deployment process."
Due to the design and functionality of some affected products, however, the company says "coordination with customers is necessary to properly deploy patches. BD is in the process of contacting customers to schedule and deploy patches."
Additionally, BD says it recommends customers implement compensating controls to reduce risk associated with the KRACK vulnerability, including ensuring that:
- The latest recommended updates for Wi-Fi access points have been implemented in Wi-Fi-enabled networks;
- Appropriate physical controls are in place to prevent attackers from being within physical range of an affected Wi-Fi access point and client;
- Data has been backed up and stored according to an organization's individual processes and disaster recovery procedures.
Alerts from regulators - as well as mitigation actions by manufacturers - involving the cybersecurity of medical devices appear to becoming more common as new threats and risks potentially impacting patient safety, as well as data security, are identified.
For instance, in April, Abbott Laboratories said it was issuing software updates for certain implantable cardiac devices to address cybersecurity flaws and battery issues that pose potential safety risks to patients.
The products were previously sold by medical device maker St. Jude Medical, which Abbott acquired last year. The Abbott Lab device problems were also the subject of previous warnings by the FDA and ICS-CERT, which both issued new advisories last month about the availability of the Abbott software patches.
BD has also been the subject to at least one previous cyber alert.
In April 2016, two independent researchers revealed that they found that some BD legacy products were at risk for 1,418 third-party software vulnerabilities. Those affected products were end-of-lifecycle versions of the Pyxis SupplyStation system from CareFusion, which BD acquired earlier in 2016 (see Security Flaws in Legacy Medical Supply Systems).
More to Come?
Ben Ransford, co-founder and CEO of Virta Labs, a healthcare cybersecurity firm, says many devices across many industries are potentially impact by the KRACK flaws that were identified last year.
"Essentially every device that uses Wi-Fi needs a patch against KRACK, so neither the existence or the timing of this disclosure are surprising," he says. "We'll see similar disclosures from other manufacturers. Some manufacturers won't be able to address KRACK with software patches because they depend on third-party radio modules."
Ransford says BD is taking the right step in making its recently updated disclosure. "The broader lesson for medical device manufacturers is that you have to design defensively," he says. "You can't assume the pipes are always secure from eavesdropping or tampering. In this case, the most straightforward solution is to design systems to encrypt traffic with TLS regardless of the pipe that carries it."
Ransford advises healthcare providers "to treat this as you would a normal software update. KRACK is a somewhat fancy attack with limited upside for attackers, so I think the actual risk of compromise is fairly low."