The Department of Homeland Security (DHS) warned about a vulnerability that is affecting a lot of medical devices that apply the WPA2 protocol for safeguarding WiFi communications. The flaw in WPA2 was discovered last October. It can possibly be exploited by hackers to intercept WiFi communications.
The method of attack, known as a KRACK – or key reinstallation – attack, could be used for installing malware on gadgets or acquire or modify patient data. As per ICS-CERT, “The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol could be altered to permit nonce reuse which results in key reinstallation. This will enable an attacker to carry out a ‘man-in-the-middle’ attack, making it possible for the attacker within radio range to decrypt, replay or spoof frames.”
To exploit the flaw, an attacker must be within radio range of a vulnerable gadget. So, that’s a restriction that reduces the possibility for the flaw to be taken advantage of. Exploiting the flaw isn’t clear-cut and demands a high level of techie skill. Because the flaw is in the WPA2 protocol utilized to protect modern Wi-Fi networks, a lot of healthcare devices are vulnerable to this kind of attack. Because the flaw was uncovered, lots of vendors have applied patches to fix the vulnerability and safeguard their gadgets.
Becton, Dickinson and Company (BD), just like other medical device manufacturers, has identified that a number of its products are vulnerable to KRACK. Last October, when the flaw was initially exposed, BD circulated a notification stating that it was keeping track of the developments. In a recent security bulletin, BD has proactively notified healthcare organizations concerning the products which could possibly be affected via KRACK.
BD voluntarily disclosed to the public which products were at risk so that healthcare providers are aware of the possible risk, and to notify them that they have taken steps to minimize the vulnerability. This was achieved by using third-party vendor patches.
BD together with DHS worked to make certain consumers utilizing vulnerable devices are informed of the risk and are taking steps that to safeguard the products. In its bulletin, BD revealed that the flaw could possibly be exploited via an adjacent network with no user rights or user interaction. Although particular BD products were found to be vulnerable since they used the WPA2 protocol, they were just as at risk as any other product that makes use of the WPA2 protocol.
BD remarks that the KRACK vulnerability of the following products has been dealt with by means of its routine patch deployment procedure:
- BD Pyxis™ Anesthesia ES
- BD Pyxis™ Anesthesia System 4000
- BD Pyxis™ Anesthesia System 3500
- BD Pyxis™ CIISafe – Workstation
- BD Alaris™ Gateway Workstation
- BD Pyxis™ MedStation 4000 T2
- BD Pyxis™ MedStation ESv
- BD Pyxis™ Supply Roller
- BD Pyxis™ SupplyStation
- BD Pyxis™ StockStation System
The following products still have issues in applying patches to correct the vulnerability. There must be proper coordination with BD to appropriately release the patches:
- BD Pyxis™ ParAssist System
- BD Pyxis™ Parx
- BD Pyxis™ Parx handheld
BD is getting in touch with clients who use those products to put a time frame on the deployment of the patches. BD recommended that customers should consider the following steps to reduce the risk connected with KRACK:
- Make sure to implement the most recent updates for Wi-Fi access points in Wi-Fi enabled networks
- Be sure to put in place proper physical controls that prevent attackers from staying within physical range of a Wi-Fi access point
- Make sure to back up and store data in accordance with your individual procedures and disaster recovery processes