Two previously undocumented, critical vulnerabilities in widely deployed medical devices have sparked patient-safety and data-privacy concerns.
Flaws in the Qualcomm Life Capsule Datacaptor Terminal Server and the Becton Dickinson (BD) Alaris TIVA Syringe Pump have been acknowledged by the vendors and publicly disclosed via ICS-CERT.
In the case of the Qualcomm Datacaptor, which was developed in partnership with Capsule Technologies, the hardware at issue is a terminal server – a small box that accepts serial connections from multiple devices and bridges them all to a standard network. It acts as a medical device gateway, connecting things like bedside monitors, respirators, anesthesia delivery systems and infusion pumps to the hospital network.
CyberMDx found the Datacaptor to be exposed to the so-called “Misfortune Cookie” (), which is a threat vector that’s been around for four years.
The flaw exists in a software component named RomPager from AllegroSoft; it allows an attacker to use a specially crafted HTTP cookie to write data to an arbitrary address in the device memory, with no authentication required. This opens the door to a denial of service attack, unauthenticated login, gaining administrator-level privileges on the terminal server, code execution and other nefarious activities.
While the Misfortune Cookie was originally spotted by Check Point in 2014 affecting home routers, the issue has cropped up in many other types of internet of things (IoT) devices since then.
While the Misfortune Cookie flaw was patched with the RomPager version 4.07, the Datacaptor has a web management interface used for remote configuration that uses an earlier, vulnerable version of the software.
The vulnerability carries a severity rating of CVSS 9.8 (critical), because the consequences of an attack could be significant, given that the Datacaptor gives attackers a conduit to a full range of bedside devices, which are typically not password-protected. Elad Luz, head of research at CyberMDX, also told Threatpost in an interview that exploiting the flaw is very simple.
“The attack is not complex,” he said. “An adversary would first need network access—but this is very commonly and easily done, unfortunately.”
As far as real-world attack scenarios, altering the availability or configuration of the Datacaptor can take it – and the devices connected to it – offline. It also allows eavesdropping on communications to lift patient information; and spoofing communications — an attack type that was explored in a DEF CON 2018 session.
Luz also told Threatpost that an attacker could control the function of a medical device connected to the terminal server – a threat vector with potentially profound implications for patient safety.
“There are hundreds of terminal servers in each hospital,” Luz said. “If you compromise them, you’re connected straight to other medical devices, like respirators and monitors. Obtaining a direct connection to any of these allows an attacker to connect to them and do whatever he likes.”
The vendor has released a firmware update for the Single Board version of the DTS, which was originally released mid-2009.
Hospitals should update their Qualcomm Life Capsule devices to the latest software versions where possible, and disable or restrict access to the device’s management ports, including HTTP, Luz said, since they’re not necessary for continued remote support of the devices.
Meanwhile, BD Alaris TIVA syringe pumps, which regulate the amount of IV medicine flowing into patients at bedside, were found to lack protection by any kind of authentication requirements.
These have a remote control function, available to anyone, benign or malicious, with access to the hospital network. The researcher said that using a protocol proprietary to the Alaris pump series, an attacker could take advantage of this open remote control to seriously harm or even kill a patient, by starting or stopping the pump, changing its infusion rate to be faster or slower, silencing alarms to the nurses’ station, and more.
The flaw (which carries a critical CVSS 9.4 severity rating) arises from the use of outdated port technology.
“Today it’s common for hospitals to have a medical device connected to their network, as part of their workflows, sending telemetry and/or working with their databases,” Luz said in a writeup of the issue. “This syringe pump has a communication port of the old serial RS232 type. This serial port cannot directly connect to a conventional network. Surprisingly, many medical devices still use this serial protocol and hospitals typically bridge them to their network using a terminal server.”
This bridging is usually accomplished by streaming the serial data into different TCP ports, each corresponding to a different serial device.
“As a result, the terminal server ‘listens’ to port activity, accepting incoming connections and directing them to the serial port of medical devices behind it,” Luz explained. “Though this is far from a best practice for connecting to a network (and not recommended by BD), it is a common practice.”
CyberMDX further found that an attacker can compromise the device even without any prior knowledge of the IP address or network location of the pump, because a discovery signal can be sent that returns all of the IP addresses for all devices connected to the network in just a few seconds.
“Given a terminal server address, you can try to connect to its different ports, and when a connection is made — try to handshake with a pump using the proprietary protocol. A successful handshake will result in an active line of command and control communication opened to the syringe pump,” Luz said. “In this way you can find all the connected pumps in a hospital in less than a minute and with no prior knowledge about the network.”
The devices are vulnerable if they’re running software version 2.3.6 and below, according to CyberMDX. In addition to upgrading software versions, hospitals should make sure they have a segmented network environment as a general best practice; and, Luz said that if they use the Alaris Gateway Workstation docker, it inactivates the remote-control feature.
“Hospitals should be aware of what they connect to the network – some of the devices only allow telemetry; others are available for full remote control,” Luz told Threatpost. “Hospitals need to make informed decisions about these devices and whether or not they should be left open.”