Widespread eavesdropping flaws could be used to invade hospital networks, device maker warns
Medical devices made by New Jersey-based Becton, Dickinson and Company (BD) are vulnerable to a class of Wi-Fi security flaws disclosed last October, with the firm saying the bug could allow hackers to gain access to hospital networks.
The set of bugs, called KRACK attacks by the researcher who discovered them, allow an attacker to listen in on Wi-Fi networks that are thought to be secure, potentially decrypting information such as login credentials. KRACK stands for Key Reinstallation Attack.
The issues are unusual in that they affect the widely used WPA2 protocol, meaning that most protected Wi-Fi networks – those requiring a password to join – are vulnerable.
While BD is not the only medical device maker affected by the KRACK flaws, the firm’s advisory sheds light on the health sector’s broader response to the issues.
“BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol,” the company said.
In its initial advisory last October BD said that affected hospital networks could see patient records changed or stolen and “major IT disruptions”.
In an update, the company said some of its products, including anaesthesia systems, handheld devices and workstations, sent unencrypted data over Wi-Fi networks. A hacker could use a KRACK attack to gain “complete” control of the data sent to and from those devices, BD said.
“Confidentiality and integrity are rated high (severity) as KRACK causes complete loss of control over unencrypted data,” BD said of those products.
No privileges or user interaction are required to exploit the flaws, BD said in its advisory.
But the firm said the danger was only “Medium” overall because KRACK exploits require the hacker to be in physical proximity to the network and to have “significant technical skills”.
Two other products were not vulnerable because of the strong AES 128 bit encryption they use.
BD said users should install patches, but noted that in some cases securing devices may depend on installing fixes for technologies from third parties. It also listed three BD Pyxis products that require coordination with customers to deploy patches, due to their design and functionality.
Do you know all about security? Try our quiz!