Medical Devices Vulnerable To KRACK Wi-Fi Attacks

Medical devices made by New Jersey-based Becton, Dickinson and Company (BD) are vulnerable to a class of Wi-Fi security flaws disclosed last October, with the firm saying the bug could allow hackers to gain access to hospital networks.

The set of bugs, called KRACK attacks by the researcher who discovered them, allow an attacker to listen in on Wi-Fi networks that are thought to be secure, potentially decrypting information such as login credentials. KRACK stands for Key Reinstallation Attack.

The issues are unusual in that they affect the widely used WPA2 protocol, meaning that most protected Wi-Fi networks – those requiring a password to join – are vulnerable.

While BD is not the only medical device maker affected by the KRACK flaws, the firm’s advisory sheds light on the health sector’s broader response to the issues.


Data grab

“BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol,” the company said.

In its initial advisory last October BD said that affected hospital networks could see patient records changed or stolen and “major IT disruptions”.

In an update, the company said some of its products, including anaesthesia systems, handheld devices and workstations, sent unencrypted data over Wi-Fi networks. A hacker could use a KRACK attack to gain “complete” control of the data sent to and from those devices, BD said.

“Confidentiality and integrity are rated high (severity) as KRACK causes complete loss of control over unencrypted data,” BD said of those products.

No privileges or user interaction are required to exploit the flaws, BD said in its advisory.

Patches

But the firm said the danger was only “Medium” overall because KRACK exploits require the hacker to be in physical proximity to the network and to have “significant technical skills”.

Two other products were not vulnerable because of the strong AES 128 bit encryption they use.

BD said users should install patches, but noted that in some cases securing devices may depend on installing fixes for technologies from third parties. It also listed three BD Pyxis products that require coordination with customers to deploy patches, due to their design and functionality.

Hospital networks have seen trouble from other quarters as well, including a number of ransomware outbreaks and last year’s WannaCry malware, which caused significant disruption to the NHS.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Boeing Starliner Launches Successfully, On Route To International Space Station

Boeing's crewless space taxi, CST-100 Starliner, one step closer to NASA certification, as it enters…

2 days ago

Apple Accused By Union Of Staff Law Violations At NY Store

Staff at Apple's World Trade Centre store in New York are allegedly being questioned and…

2 days ago

Canada To Join Five Eyes 5G Ban On Huawei/ZTE

Making it official. Canada is to turn its unofficial ban on 5G kit from Huawei…

2 days ago

Twitter To Hide Tweets That Share False Information During A Crisis

Potentially risking Elon's wrath over free speech, Twitter says it will hide tweets spreading misinformation…

3 days ago

Boeing Starliner Test Flight Readied For Tonight

Third time the charm? Main rival to SpaceX's Dragon capsule, the embattled Boeing Starliner spacecraft,…

3 days ago

September 13 Slated For iPhone 14 Launch – Report

No surprise there. Apple is slated to launch the iPhone 14 on 13 September according…

3 days ago