Critical Bug in Medical Infusion Pumps lets Attacker Remotely install Unauthorized Firmware to Change Medication Dosages.
Researchers at CyberMDX, a healthcare security firm, have identified two different vulnerabilities in Becton Dickinson Alaris Gateway Workstations (AGW) used by hospitals in medical infusion pumps. One of the bugs is so severe that it carries a critical rating of 10 on the CVSS v.3 severity scale.
The other bug is comparatively less severe and is found in the web-based management interface of the workstation.
The abovementioned workstations are manufactured by popular medical device maker Becton Dickinson. These flaws can be leveraged by an attacker remotely and without needing any authentication to gain full control of the infusion pump.
The bugs are the result of a flaw (tracked as CVE-2019-10959) in the device’s firmware code and exploiting these flaws, an attacker can easily hijack the device to disable it completely, install unauthorized firmware or malware, and report fake information. It is also possible that the attacker directly communicates with the pumps linked with the gateway to manipulate drug dosages and even change infusion rates, both of which are drastic scenarios.
A Becton Dickinson Alaris Gateway Workstation.
It is worth noting that no special privileges would be needed by the attacker to perform these tasks. So, without much ado, the attacker can play with the lives of patients by preventing life-saving treatment.
This exploit can be carried out by ..
Support the originator by clicking the read the rest link below.
