Cyber-security vulnerabilities identified in two major medical devices
Working closely with both vendors, CyberMDX says the vulnerabilities have been publicly disclosed via ICS-CERT.
CyberMDX found a potential vulnerability in the BD Alaris TIVA syringe pump with software version 2.3.6 and below that is sold and used outside of the U.S.
Through CyberMDX’s research, the team discovered that if a malicious attacker can gain access to a hospital’s network and if the Alaris TIVA syringe pump is connected to a terminal server, the attacker can perform hacks without any prior knowledge of IP addresses or location of the pump.
The attack could lead to unauthorised start/stop of the pump and/or unauthorised changes in the rate of infusion.
More information about the potential vulnerability, classified as a CVSS 9.4 (critical), is available from the ICS-CERT advisory (ICSMA-18-235-01).
Source: Med Tech News