Research Team Discovers Two Major Medical Device Vulnerabilities

CyberMDX, a healthcare cybersecurity provider delivering visibility and threat prevention for medical devices and clinical networks, today announced that the research group of its company has discovered two security vulnerabilities found in commonly used medical devices: Becton Dickinson (BD)’s Alaris TIVA Syringe Pump and Qualcomm Life Capsule’s Datacaptor Terminal Server (DTS). Working closely with both vendors, the vulnerabilities have been publicly disclosed via ICS-CERT.
 
BD Alaris TIVA Syringe Pump Vulnerability
CyberMDX found a potential vulnerability in the BD Alaris TIVA syringe pump with software version 2.3.6 and below that is sold and used outside of the U.S.
 
Through CyberMDX’s research, the team discovered that if a malicious attacker can gain access to a hospital’s network and if the Alaris TIVA syringe pump is connected to a terminal server, the attacker can perform hacks without any prior knowledge of IP addresses or location of the pump.
 
The attack could lead to unauthorized start/stop of the pump and/or unauthorized changes in the rate of infusion.
 
To learn more about this potential vulnerability, classified as a CVSS 9.4 (critical), refer to the ICS-CERT advisory (ICSMA-18-235-01).
 
CyberMDX worked closely with the Product Security team at BD that emphasizes collaboration across the healthcare industry to enhance cybersecurity of medical technology and devices.
 
More information on the vulnerability can be found on the CyberMDX website.
 
Qualcomm Life Capsule Datacaptor Terminal Server Vulnerability
Qualcomm Life Capsule’s Datacaptor Terminal Server (DTS) is a medical gateway device used by hospitals to connect their medical devices to the network. The gateway is typically used to connect bedside devices such as monitors, respirators, anesthesia, and infusion pumps, and like many other IoT devices, the DTS has a web management interface used for remote configuration, based on Allegrosoft RomPager.
 
The CyberMDX research team found that interacting with the web management using the “Misfortune Cookie” vulnerability, which hands out a crafted HTTP cookie to the device, resulted in an arbitrary write to its memory. This action can be performed with no authentication and the arbitrary write may be used to login without credentials, gain administrator-level privileges on the terminal server, or simply crash them. This may result in harm to the device availability as well as the network connectivity of the serial medical devices connected to it.
 
Although the Misfortune Cookie vulnerability has been publicly known for four years, prior to this disclosure, there was no awareness of it in this instance.
 
After collaboration with Qualcomm Life Capsule, CyberMDX recommended users to immediately update the DTS devices to their latest firmware version to overcome the vulnerability. Qualcomm Life worked quickly to validate the vulnerability, provide a workaround and an update to the firmware, and notify customers.
 
To learn more about this potential vulnerability, classified as a CVSS 9.8 (critical), refer to the ICS-CERT Advisory (ICSMA-18-240-01).
 
The full disclosure report on the research can be accessed on the CyberMDX website.
 
“Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety,” said Elad Luz, Head of Research at CyberMDX. “We are a catalyst for change in the healthcare industry by focusing our research capabilities solely on medical devices. Our research team is committed to ensuring patient safety by tirelessly working closely with hospitals and manufacturers to improve the security and resiliency of connected medical devices at hospitals worldwide.”