The HIPAA Guide - Celebrating Over 15 Years Online

Software Updates Issued to Address KRACK Vulnerabilities Affecting Stryker Medical Beds

January 30, 2019Vendor News0

Security

Cybersecurity vulnerabilities have been identified in Stryker Medical Beds which could potentially be exploited by an individual within radio range to play back, decrypt, or spoof frames. No reports have so far been received to suggest that the flaws have been exploited, no data breach has been experienced, and the flaws do not affect the functionality of the beds. The flaws are similar to others found in a wide range of non-Stryker wireless devices over the past few months.

Stryker notes in its product security update that “The KRACK vulnerability is applicable to iBed Wireless-enabled Secure II, S3 and InTouch beds that are wirelessly-connected to a hospital network.”

The vulnerabilities are due to how the four-way handshake occurs in the WPA and WPA2 wireless security protocols. The flaws permit nonce reuse in Key Reinstallation (KRACK) attacks.

In total, there are nine vulnerabilities:

  • CVE-2017-13088: Integrity Group Temporal Key Reinstallation when processing a Wireless Network Management Sleep Mode Response frame.
  • CVE-2017-13087: Group Temporal Key Reinstallation when processing a Wireless Network Management Sleep Mode Response frame.
  • CVE-2017-13086: Tunneled Direct-Link Setup Peer Key Reinstallation in the Tunneled Direct-Link Setup handshake.
  • CVE-2017-13082: Pairwise Transient Key Temporal Key Reinstallation in the fast BSS transmission handshake.
  • CVE-2017-13081: Integrity Group Temporal Key Reinstallation in the group key handshake.
  • CVE-2017-13080: Group key reinstallation in the group key handshake.
  • CVE-2017-13079: Integrity Group Temporal Key reinstallation in the four-way handshake.
  • CVE-2017-13078: Group key reinstallation in the four-way handshake.
  • CVE-2017-13077: Pairwise key reinstallation in the four-way handshake.

A CVSS v3 base score of 6.8 has been collectively designated to this group of vulnerabilities. Mathy Vanhoef of imec-DistriNet, KU Leuven identified the vulnerabilities and reported them to the National Cybersecurity & Communications Integration Center (NCCIC).

Stryker has released updated software to prevent the exploitation of these vulnerabilities:

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • Gateway 2.0 users must upgrade to software version 5212-400-905_3.5.002.01
  • Gateway 3.0 users must upgrade to software version 5212-500-905_4.3.001.01

 

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

Copyright © 2007-2024 The HIPAA Guide       Site Map      Privacy Policy       About The HIPAA Guide       Terms and Conditions       Accessibility Statement