Cyber-security researchers at CyberMDX have discovered two major security flaw in commonly used medical devices: Becton Dickinson (BD)’s Alaris TIVA syringe pump and Qualcomm Life Capsule’s Datacaptor Terminal Server (DTS).
The researchers worked closely with both the vendors and the vulnerabilities were publically disclosed via the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). They called the flaws as Misfortune Cookie, assigned them a severity rating of 9.8.
A potential vulnerability is found in the BD Alaris TIVA syringe pump's software version 2.3.6 and later ones, which were sold outside the United States.
The team found out that if a hacker could gain access to a hospital’s network and the Alaris TIVA syringe pump is connected to the server, then the hacker can malicious activity without being caught.
Research head at CyberMDX, Elad Luz said: “Uncovering these vulnerabilities illustrates how responsible disclosure between cybersecurity researchers and medical device vendors can work when both sides are committed to improving patient safety.
“We are a catalyst for change in the healthcare industry by focusing our research capabilities solely on medical devices.
“Our research team is committed to ensuring patient safety by tirelessly working closely with hospitals and manufacturers to improve the security and resiliency of connected medical devices at hospitals worldwide.”
The research team has informed a security team at Qualcomm Life, who was initially unaware of this vulnerability. However, they have developed a patch to resolve the security issue. “Capsule suggests that customers with any of these three versions of DTS disable the installed web server to mitigate the vulnerability,” the company said.
“The web server is only employed for configuration during the initial deployment and is not required for the continued remote support of the device.”