BD Alaris TIVA Syringe Pump Vulnerability

Vedere Labs Team (formerly CyberMDX) Discovers Vulnerability in the BD Alaris TIVA Syringe Pump

ICS-CERT Advisory (ICSMA-18-235-01)

Risk: High. A CVSS v3 grade of 9.4 (critical) has been calculated. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).
Date Discovered by Vedere Labs: May 8, 2018
ICS-CERT Advisory date: August 23, 2018

Summary

Vedere Labs discovered a previously undocumented vulnerability in the device, noting that when the syringe is connected to a network, it is left exposed to remote control from anyone on that network, requiring no authentication. The remote control allows starting/stopping of the pump, changing its rate, silencing alarms, and more.

Vulnerability Details

Product Background

Becton Dickinson’s Alaris^TM TIVA is a popular syringe pump sold primarily outside of the US, found at hospital bedsides, often with more than one per patient. These devices apply precise drug doses to patients over periods that can last from hours to days.

Network Connection

Today it’s common for hospitals to have a medical device connected to their network, as part of their workflows, sending telemetry, and/or working with their databases. This syringe pump has a communication port of the old serial RS232 type. This serial port cannot directly connect to a conventional network.

Surprisingly, many medical devices still use this serial protocol and hospitals typically bridge them to their network using a terminal server.

A terminal server is a small box that accepts serial connections from multiple devices (in hospitals these are usually all medical devices found on the same room) and bridges them all to a standard network.

This bridging is usually accomplished by streaming the serial data into different TCP ports, each corresponding to a different serial device. As a result, the terminal server “listens” to port activity, accepting incoming connections and directing them to the serial port of medical devices behind it.

Though this is far from a best practice for connecting to a network (and not recommended by BD), it is a common practice.

The Attack Scenario

Using a protocol proprietary to the Alaris™ pump series, one can send commands that will instruct it to start/stop the pump, increase the pump rate up to x1000 faster, silence alarms, and more.

The commands can be sent over the hospital’s network if configured in the manner described above (using a terminal server bridge). In this way the pump is exposed to any attacker who has penetrated the hospital network.

Bonus: Reconnaissance

Vedere Labs recreated the attack scenario using terminal servers from industry standard vendors, supplying hospitals all over the world.

In the course of recreating such an event, we further found that an attacker can manage to compromise the device even without any prior knowledge of the IP address / location of the pump. This is because:

• All terminal servers answer to a discovery signal that can be sent over the network. This grants you IP addresses for all the devices connected to the network in just a few seconds.

• Given a terminal server address, you can try to connect to its different ports, and when a connection is made — try to “handshake” with a pump using the proprietary protocol. A successful handshake will result in an active line of command and control communication opened to the syringe pump.

In this way you can find all the connected pumps in a hospital in less than a minute and with no prior knowledge about the network.

Mitigations and Recommendations

The following mitigations and compensating controls are recommended in order to reduce risk associated with this vulnerability:

• Customers should ensure they are operating these devices in a segmented network environment or as a stand-alone device.
• Customers should utilize connections via the Alaris™ Gateway Workstation docker, which would inactivate the remote control feature.

Credit

Elad Luz, Head of Research at CyberMDX, a Forescout Company