true
Potential Physical Access to Wireless Credentials Alaris PC Unit PCU model 8015

Background

Last updated: August 09, 2022
Original Publication: February 06, 2017

This notification is voluntarily reported by BD to the U.S. Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA). BD had previously released this vulnerability notification in 2017. This is an update to the 2017 vulnerability to include a new version of a product in scope and method for exploitation.

This product security bulletin is not related to the BD Alaris™ System recall notifications issued in 2020.

This notification provides product security information and recommendations related to a security vulnerability found within specified versions of the BD Alaris™ PC Unit (“Alaris PCU”). For maximum awareness, BD also voluntarily reported the contents of this bulletin to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the DHS Cybersecurity and Infrastructure Security Agency (CISA) (formerly Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)) and the Health Information Sharing and Analysis Center (H-ISAC).

BEGIN UPDATE C: Aug 09, 2022

Remediation

BD has released the following Alaris™ PC Unit software, which addresses CVE-2016-8375 and CVE-2016-9355:

  • Alaris™ PC Unit 8015 Software Versions 12.1.1 and newer

 

BD recommends that customers update to Alaris™ PC Unit versions 12.1.1 or newer, where available based on regulatory authorization. For assistance scheduling the remediation, customers should contact their BD Sales Representative.

END UPDATE C: Aug 09, 2022

Products in Scope

This notification applies to the following BD Alaris™ products:

  • Begin Update B: March 16, 2021
    • BD Alaris™ PCU, Model 8015, versions 9.33.1 and earlier
      All Alaris System software versions less than 9.19 are end of life. BD recommends that customers upgrade Alaris System software when BD releases its next version of software, upon 510(k) clearance.
    End Update B: March 16, 2021
  • Alaris PCU Model 8015 9.5 or earlier. The Alaris™ PC unit software version 9.5 was released in 2010.
  • Alaris PCU Model 8015 9.7 or later. The Alaris™ PC unit software version 9.7 was released in 2011.

Vulnerability Details

Begin Update B: March 16, 2021

BD originally released this vulnerability notification in 2017. This is an update to the 2017 vulnerability to include a new version of a product in scope and method for exploitation.

BD is aware that an unauthorized user with physical access could potentially open the back of the Alaris PCU, remove the external Wi-Fi card and insert a pre-programmed malicious CompactFlash memory card (CF card) into an external port of the Alaris PCU, which could enable malicious attackers to extract flash memory to gain access to wireless network authentication credentials and other sensitive data. BD has received no reports of exploits related to this vulnerability.

This vulnerability was reported to BD by security vendor Palo Alto Networks.

End Update B: March 16, 2021

BD and independent security researchers have identified a security vulnerability in certain versions of Alaris PCU that could allow an unauthorized user to access a facility’s wireless network authentication credentials and other sensitive technical data. Vulnerable data may include:

  • Wireless network Service Set Identifier (SSID)
  • Wired Equivalent Privacy (WEP) keys
  • WiFi Protected Access (WPA) Username, Password, Passphrase
  • Root/Client Certificates
  • Advanced Encryption Standard (AES) keys used to encrypt data in transit
  • Alaris Systems Manager internet protocol (IP) address

Depending on current software version, this data may be accessed differently.

BD also discovered that a limited set of ePHI elements could potentially be accessed when an unauthorized user disassembles the Alaris PCU. The limited set of ePHI elements may include:

  • Patient ID
  • Infusion parameters
  • Past infusion history
  • Patient weight (for weight-based infusion)

Please note that the above mentioned ePHI elements do not uniquely identify an individual.

Alaris PCU model 8015 with software version 9.5 or earlier

BD and independent security researchers have identified a security vulnerability in older software versions of the Alaris PCU could allow an attacker with physical access to an Alaris PCU device to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the Alaris™ PCU and accessing the device’s removable flash memory.

For an attacker to exploit this vulnerability, an attacker must physically open the Alaris PCU , which would allow access to the CF card that could then be removed and accessed using a computer. This vulnerability has been successfully demonstrated to BD.

Alaris PCU with software version 9.7 or later

Begin Update B: March 16, 2021

An unauthorized user with physical access to an Alaris PCU may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory. Physical access to the CF card allows an attacker to overwrite application and internal data (logs, drug library, etc.). Older software versions of the Alaris PCU (Version 9.5 and prior) store wireless network authentication credentials and other sensitive technical data on the affected device’s removable flash memory. In addition, the proprietary nature of the stored data format makes it unlikely modification of the CF card would go undetected.

End Update B: March 16, 2021

Alaris PCU software versions 9.7 and later do not store any credentials on the removable CF card but instead store this data on internal flash memory.

For an attacker to exploit this vulnerability, an attacker must physically disassemble the Alaris PCU to access the circuit boards containing the flash memory chip. The attacker would then have to undertake additional unauthorized measures to read the sensitive data, such as:

  1. Obtain knowledge of the Alaris command interface and craft a script to copy credentials
  2. Use advanced tools to read the flash memory, decode the file system, and finally locate and read the sensitive data

To date, there have been no reports of this vulnerability being exploited but the vulnerability has been confirmed.

Clinical Risk Assessment and Patient Safety Impact

Begin Update B: March 16, 2021

This vulnerability only impacts confidentiality and as result does not have a patient safety impact.

End Update B: March 16, 2021

This vulnerability has been assessed for clinical impact by BD and represents a negligible probability of harm to the patient, since modifications cannot be made remotely to the clinical functions of the Alaris PCU.

Product Security Risk Assessment and Vulnerability Score

BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS), U.S. Food and Drug Administration (FDA), and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.

8015 with software version 9.5 or earlier:

Begin Update B: March 16, 2021

While the attack complexity is low to access the data, an attacker would need internal knowledge of the architecture of the device to exploit the data.

End Update B: March 16, 2021

6.8 (MED) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Rationale: Physical access is required to exploit this vulnerability. Attack complexity is LOW based on availability of these wireless credentials on the PCU removable CF card, and no system privilege is required. The scope is considered unchanged as the disclosure of a password is a loss of confidentiality on the local system and subsequent attacks would be necessary to change scope. The Network credentials are considered sensitive parameters which results in the Confidentiality impact as HIGH.

8015 with software version 9.7 or later:

4.9 (MED) CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Rationale: Physical access is required to exploit this vulnerability. Attack complexity is high based on limited availability of these wireless credentials that are stored in the Alaris PCU on internal flash memory. The attacker would then have to use advanced tools to read the flash memory, decode the file system, and then locate and read the credential data. No system privilege is required. Due to the Changed Scope element of this vulnerability with regards to wireless network access credentials, Confidentiality impact is high.

Mitigations & Compensating Controls

Begin Update B: March 16, 2021

BD will address this vulnerability through an upcoming version of the Alaris PCU software, pending 510(k) clearance. It is recommended that users upgrade to this software version, when it becomes available.

BD recommends hospitals create dedicated medical device wireless networks that only house medical equipment with wireless cards. This could reduce the impact to other devices on the hospital network.

End Update B: March 16, 2021

Additionally, BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability.

  • Customers are advised to follow procedures for clearing wireless network authentication credentials on the Alaris PCU if the device is to be removed or transported from the facility. These procedures are outlined in the Alaris System Maintenance Software User Manual.
  • Customers are advised to change their wireless network authentication credentials regularly, and immediately if there is evidence of unauthorized physical access to an Alaris device at their facility. Additionally, all wireless credentials should be cleared prior to transferring an Alaris device to another facility.
  • Customers are encouraged to consider security policy in which wireless credentials are not configured for the Alaris PCU if wireless networking functionality is not being utilized for operation. This will remediate the vulnerability for non-wireless users.
  • For Alaris PCU software version 9.7 and later, BD has implemented Federal Information Processing Standard (FIPS) 140-2 Level 2 physical security controls, including standard tamper-evident physical seals which can be applied to hardware to provide indication of unauthorized physical access, if customers request that BD enable FIPS mode on the Alaris PCU .

    Customers should review “FIPS 140-2 Compliance Instructions for Alaris Products” guide, pages 11-29, for information on how to enforce FIPS 140-2 level 2 physical security controls on the Alaris PCU.
  • Customers may choose to implement Access Control Lists (ACLs) that restrict device access to specific media access control (MAC) and IP addresses, ports, protocols, and services.
  • A customer may choose to place Alaris PCUs on an isolated network with dedicated SSID to reduce the impact of compromised wireless network credentials. In all cases, security best practice prescribes frequent changing of SSID and wireless authentication credentials.

Additional Resources

For more information on BD’s proactive approach to product security and vulnerability management, please review our vulnerability disclosure process.

March 2021
Product Security Bulletin for BD Alaris™ PC Unit 8015

BD, the BD Logo and all other trademarks are property of Becton, Dickinson and Company. All other trademarks are the property of their respective owners.