Skip to main content

BD Alaris Exposed Credential Vulnerabilities

Threat ID:
CC-3795
Threat Severity:
Low
Published:
18 March 2021 12:17 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Affected platforms

The following platforms are known to be affected:

BD Alaris 8015 PC Versions: 9.7 and earlier

Threat details

Introduction

BD has released details of two vulnerabilities in their Alaris Point-of-Care (PC) intravenous infusion pumps. They claim that an unauthorised attacker with physical access to an affected device could obtain sensitive data or access the host facility's network.

Vulnerabilities

Both vulnerabilities appear to be the result of affected Alaris PC systems inadequately restricting physical inputs:

  • CVE-2016-8375 - Vulnerable Alaris PC systems allow a physical user to  obtain network authentication credentials by replacing the external Wi-Fi card with a malicious CompactFlash card.
  • CVE-2016-9355 - Vulnerable Alaris PC systems can be disassembled by a physical user in order to remove their flash memory, allowing them read or write access to the system's memory.

Remediation advice

BD has confirmed that they will not be producing updates to address these vulnerabilities, but has instead suggested affected organisations apply the following mitigating controls:

  • Create dedicated medical device networks to limit the potential for network propagation.
  • Ensure all Alaris PC systems are fully updated, Versions lower than 9.19 are consider end-of-life.
  • Ensure tamper-proof seals and markers are correctly and consistently applied to vulnerable Alaris PC systems.

CVE Vulnerabilities

Status Published

CVE-2016-8375

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7, and 8000 PC unit. An unauthorized user with physical access to an affected Alaris PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling the PC unit and accessing the device's flash memory. The Alaris 8015 PC unit, Version 9.7, and the 8000 PC unit store wireless network authentication credentials and other sensitive technical data on internal flash memory. Accessing the internal flash memory of the affected device would require special tools to extract data and carrying out this attack at a healthcare facility would increase the likelihood of detection.
Status Published

CVE-2016-9355

An issue was discovered in Becton, Dickinson and Company (BD) Alaris 8015 Point of Care (PC) unit, Version 9.5 and prior versions, and Version 9.7. An unauthorized user with physical access to an Alaris 8015 PC unit may be able to obtain unencrypted wireless network authentication credentials and other sensitive technical data by disassembling an Alaris 8015 PC unit and accessing the device's flash memory. Older software versions of the Alaris 8015 PC unit, Version 9.5 and prior versions, store wireless network authentication credentials and other sensitive technical data on the affected device's removable flash memory. Being able to remove the flash memory from the affected device reduces the risk of detection, allowing an attacker to extract stored data at the attacker's convenience.

Last edited: 7 September 2021 8:36 am