Last updated: August 09, 2022
Original Publication: February 06, 2017

This notification is voluntarily reported by BD to the U.S. Department of Homeland Security (DHS) and the U.S. Food and Drug Administration (FDA). BD had previously released this vulnerability notification in 2017. This is an update to the 2017 vulnerability to include a new version of a product in scope and method for exploitation.

This product security bulletin is not related to the BD Alaris™ System recall notifications issued in 2020.

This notification provides product security information and recommendations related to a security vulnerability found within specified versions of the BD Alaris™ PC Unit (“Alaris PCU”). For maximum awareness, BD also voluntarily reported the contents of this bulletin to Information Sharing and Analysis Organizations (ISAOs) where BD participates, including the DHS Cybersecurity and Infrastructure Security Agency (CISA) (formerly Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)) and the Health Information Sharing and Analysis Center (H-ISAC).

Begin Update B: March 16, 2021

BD originally released this vulnerability notification in 2017. This is an update to the 2017 vulnerability to include a new version of a product in scope and method for exploitation.

BD is aware that an unauthorized user with physical access could potentially open the back of the Alaris PCU, remove the external Wi-Fi card and insert a pre-programmed malicious CompactFlash memory card (CF card) into an external port of the Alaris PCU, which could enable malicious attackers to extract flash memory to gain access to wireless network authentication credentials and other sensitive data. BD has received no reports of exploits related to this vulnerability.

This vulnerability was reported to BD by security vendor Palo Alto Networks.

End Update B: March 16, 2021

BD and independent security researchers have identified a security vulnerability in certain versions of Alaris PCU that could allow an unauthorized user to access a facility’s wireless network authentication credentials and other sensitive technical data. Vulnerable data may include:

• Wireless network Service Set Identifier (SSID)
• Wired Equivalent Privacy (WEP) keys
• WiFi Protected Access (WPA) Username, Password, Passphrase
• Root/Client Certificates
• Advanced Encryption Standard (AES) keys used to encrypt data in transit
• Alaris Systems Manager internet protocol (IP) address

Depending on current software version, this data may be accessed differently.

BD also discovered that a limited set of ePHI elements could potentially be accessed when an unauthorized user disassembles the Alaris PCU. The limited set of ePHI elements may include:

• Patient ID
• Infusion parameters
• Past infusion history
• Patient weight (for weight-based infusion)

Please note that the above mentioned ePHI elements do not uniquely identify an individual.

Begin Update B: March 16, 2021

An unauthorized user with physical access to an Alaris PCU may be able to disassemble the device to access the removable flash memory, allowing read-and-write access to device memory. Physical access to the CF card allows an attacker to overwrite application and internal data (logs, drug library, etc.). Older software versions of the Alaris PCU (Version 9.5 and prior) store wireless network authentication credentials and other sensitive technical data on the affected device’s removable flash memory. In addition, the proprietary nature of the stored data format makes it unlikely modification of the CF card would go undetected.

End Update B: March 16, 2021

Alaris PCU software versions 9.7 and later do not store any credentials on the removable CF card but instead store this data on internal flash memory.

For an attacker to exploit this vulnerability, an attacker must physically disassemble the Alaris PCU to access the circuit boards containing the flash memory chip. The attacker would then have to undertake additional unauthorized measures to read the sensitive data, such as:

1. Obtain knowledge of the Alaris command interface and craft a script to copy credentials
2. Use advanced tools to read the flash memory, decode the file system, and finally locate and read the sensitive data

To date, there have been no reports of this vulnerability being exploited but the vulnerability has been confirmed.

BD has conducted internal risk assessments for this vulnerability and has also collaborated with the U.S. Department of Homeland Security (DHS), U.S. Food and Drug Administration (FDA), and independent security researchers to review baseline and temporal Common Vulnerability Scoring System (CVSS) scores as outlined below. These vulnerability scores can be used in assessing risk within your own organization.

8015 with software version 9.5 or earlier:

Begin Update B: March 16, 2021

While the attack complexity is low to access the data, an attacker would need internal knowledge of the architecture of the device to exploit the data.

End Update B: March 16, 2021

6.8 (MED) CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Rationale: Physical access is required to exploit this vulnerability. Attack complexity is LOW based on availability of these wireless credentials on the PCU removable CF card, and no system privilege is required. The scope is considered unchanged as the disclosure of a password is a loss of confidentiality on the local system and subsequent attacks would be necessary to change scope. The Network credentials are considered sensitive parameters which results in the Confidentiality impact as HIGH.

8015 with software version 9.7 or later:

4.9 (MED) CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Rationale: Physical access is required to exploit this vulnerability. Attack complexity is high based on limited availability of these wireless credentials that are stored in the Alaris PCU on internal flash memory. The attacker would then have to use advanced tools to read the flash memory, decode the file system, and then locate and read the credential data. No system privilege is required. Due to the Changed Scope element of this vulnerability with regards to wireless network access credentials, Confidentiality impact is high.

Begin Update B: March 16, 2021

BD will address this vulnerability through an upcoming version of the Alaris PCU software, pending 510(k) clearance. It is recommended that users upgrade to this software version, when it becomes available.

BD recommends hospitals create dedicated medical device wireless networks that only house medical equipment with wireless cards. This could reduce the impact to other devices on the hospital network.

End Update B: March 16, 2021

Additionally, BD recommends the following mitigations and compensating controls in order to reduce risk associated with this vulnerability.

• Customers are advised to follow procedures for clearing wireless network authentication credentials on the Alaris PCU if the device is to be removed or transported from the facility. These procedures are outlined in the Alaris System Maintenance Software User Manual.
• Customers are advised to change their wireless network authentication credentials regularly, and immediately if there is evidence of unauthorized physical access to an Alaris device at their facility. Additionally, all wireless credentials should be cleared prior to transferring an Alaris device to another facility.
• Customers are encouraged to consider security policy in which wireless credentials are not configured for the Alaris PCU if wireless networking functionality is not being utilized for operation. This will remediate the vulnerability for non-wireless users.
• For Alaris PCU software version 9.7 and later, BD has implemented Federal Information Processing Standard (FIPS) 140-2 Level 2 physical security controls, including standard tamper-evident physical seals which can be applied to hardware to provide indication of unauthorized physical access, if customers request that BD enable FIPS mode on the Alaris PCU .
  
  Customers should review “FIPS 140-2 Compliance Instructions for Alaris Products” guide, pages 11-29, for information on how to enforce FIPS 140-2 level 2 physical security controls on the Alaris PCU.
• Customers may choose to implement Access Control Lists (ACLs) that restrict device access to specific media access control (MAC) and IP addresses, ports, protocols, and services.
• A customer may choose to place Alaris PCUs on an isolated network with dedicated SSID to reduce the impact of compromised wireless network credentials. In all cases, security best practice prescribes frequent changing of SSID and wireless authentication credentials.