Last updated: August 09, 2022
Original Publication: February 06, 2017
This notification is voluntarily reported by BD to the U.S. Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA). BD had previously released this vulnerability notification in 2017. This is an update to the 2017 vulnerability to include a new version of a product in scope and method for exploitation.
This product security bulletin is not related to the BD Alaris™ System recall notifications issued in 2020.
This notification provides product security information and recommendations related to a security vulnerability found within specified versions of the BD Alaris™ PC Unit (“Alaris PCU”). For maximum awareness, BD also voluntarily reported the contents of this bulletin to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the DHS Cybersecurity and Infrastructure Security Agency (CISA) (formerly Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)) and the Health Information Sharing and Analysis Center (H-ISAC).
BD has released the following Alaris™ PC Unit software, which addresses CVE-2016-8375 and CVE-2016-9355:
BD recommends that customers update to Alaris™ PC Unit versions 12.1.1 or newer, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD Sales Representative.
This notification applies to the following BD Alaris™ products:
BD originally released this vulnerability notification in 2017. This is an update to the 2017 vulnerability to include a new version of a product in scope and method for exploitation.
BD is aware that an unauthorized user with physical access could potentially open the back of the Alaris PCU, remove the external Wi-Fi card and insert a pre-programmed malicious CompactFlash memory card (CF card) into an external port of the Alaris PCU, which could enable malicious attackers to extract flash memory to gain access to wireless network authentication credentials and other sensitive data. BD has received no reports of exploits related to this vulnerability.
This vulnerability was reported to BD by security vendor Palo Alto Networks.
BD and independent security researchers have identified a security vulnerability in certain versions of Alaris PCU that could allow an unauthorized user to access a facility’s wireless network authentication credentials and other sensitive technical data. Vulnerable data may include:
Depending on current software version, this data may be accessed differently.
BD also discovered that a limited set of ePHI elements could potentially be accessed when an unauthorized user disassembles the Alaris PCU. The limited set of ePHI elements may include:
Please note that the above mentioned ePHI elements do not uniquely identify an individual.
BD and independent security researchers have identified a security vulnerability in older software versions of the Alaris PCU could allow an attacker with physical access to an Alaris PCU device to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the Alaris™ PCU and accessing the device’s removable flash memory.
For an attacker to exploit this vulnerability, an attacker must physically open the Alaris PCU , which would allow access to the CF card that could then be removed and accessed using a computer. This vulnerability has been successfully demonstrated to BD.
An unauthorized user with physical access to an Alaris PCU may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory. Physical access to the CF card allows an attacker to overwrite application and internal data (logs, drug library, etc.). Older software versions of the Alaris PCU (Version 9.5 and prior) store wireless network authentication credentials and other sensitive technical data on the affected device’s removable flash memory. In addition, the proprietary nature of the stored data format makes it unlikely modification of the CF card would go undetected.
Alaris PCU software versions 9.7 and later do not store any credentials on the removable CF card but instead store this data on internal flash memory.
For an attacker to exploit this vulnerability, an attacker must physically disassemble the Alaris PCU to access the circuit boards containing the flash memory chip. The attacker would then have to undertake additional unauthorized measures to read the sensitive data, such as:
To date, there have been no reports of this vulnerability being exploited but the vulnerability has been confirmed.
This vulnerability only impacts confidentiality and as result does not have a patient safety impact.
This vulnerability has been assessed for clinical impact by BD and represents a negligible probability of harm to the patient, since modifications cannot be made remotely to the clinical functions of the Alaris PCU.
BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS), U.S. Food and Drug Administration (FDA), and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.
Begin Update B: March 16, 2021
While the attack complexity is low to access the data, an attacker would need internal knowledge of the architecture of the device to exploit the data.
End Update B: March 16, 2021
6.8 (MED) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Rationale: Physical access is required to exploit this vulnerability. Attack complexity is LOW based on availability of these wireless credentials on the PCU removable CF card, and no system privilege is required. The scope is considered unchanged as the disclosure of a password is a loss of confidentiality on the local system and subsequent attacks would be necessary to change scope. The Network credentials are considered sensitive parameters which results in the Confidentiality impact as HIGH.
4.9 (MED) CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Rationale: Physical access is required to exploit this vulnerability. Attack complexity is high based on limited availability of these wireless credentials that are stored in the Alaris PCU on internal flash memory. The attacker would then have to use advanced tools to read the flash memory, decode the file system, and then locate and read the credential data. No system privilege is required. Due to the Changed Scope element of this vulnerability with regards to wireless network access credentials, Confidentiality impact is high.
BD will address this vulnerability through an upcoming version of the Alaris PCU software, pending 510(k) clearance. It is recommended that users upgrade to this software version, when it becomes available.
BD recommends hospitals create dedicated medical device wireless networks that only house medical equipment with wireless cards. This could reduce the impact to other devices on the hospital network.
Additionally, BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability.
For more information on BD’s proactive approach to product security and vulnerability management, please review our vulnerability disclosure process.
March 2021
Product Security Bulletin for BD Alaris™ PC Unit 8015
BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.