Becton Dickinson Takes Leadership Role in Proactive IT Security Disclosure over KRACK Vulnerability

Share this article on:

The Department of Homeland Security (DHS) has drawn attention to a vulnerability that affects many medical devices that use the WPA2 protocol for securing WiFi communications. Last October, a flaw in WPA2 was identified that could potentially be exploited by threat actors to intercept communications over WiFi.

The attack method, termed a KRACK – or key reinstallation – attack, could potentially be used to install malware on devices or obtain or alter patient information. According to ICS-CERT, “The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol can be manipulated to allow nonce reuse resulting in key reinstallation. This could allow an attacker to execute a ‘man-in-the-middle’ attack, enabling the attacker within radio range to replay, decrypt, or spoof frames.”

In order for the flaw to be exploited, an attacker would need to be in radio range of a vulnerable device, which limits the potential for the flaw to be exploited. Exploiting the flaw is also not straightforward and requires a high level of technical skill.

Since the flaw is in the WPA2 protocol used to secure modern Wi-Fi networks, many medical devices are vulnerable to this type of attack. Since the flaw was discovered, many vendors have implemented patches to correct the vulnerability and secure their devices.

Becton, Dickinson and Company (BD), like many other medical product manufacturers, has discovered some of its products are vulnerable to KRACK. Last October, when the flaw was first disclosed, BD issued an alert confirming the company was monitoring the developing situation. In a recently updated security advisory, BD has proactively alerted healthcare providers about the products that could potentially be compromised via KRACK.

BD took the voluntary step of publicly disclosing which products were vulnerable to ensure healthcare providers were made aware of the potential risk, and to advise them that steps have been taken to mitigate the vulnerability. This has been achieved through the use of third-party vendor patches.

BD has been working with DHS to ensure customers using vulnerable devices are notified of the risk and the steps that can be taken to secure the products. In its advisory, BD explained that the flaw could be exploited through an adjacent network without user privileges or user interaction. While certain BD products were determined to be vulnerable because they used the WPA2 protocol, they were no more at risk than any other product that uses the WPA2 protocol.

BD notes that the KRACK vulnerability has been addressed for the following products through its routine patch deployment process:

  • BD Alaris™ Gateway Workstation
  • BD Pyxis™ Anesthesia ES
  • BD Pyxis™ Anesthesia System 4000
  • BD Pyxis™ Anesthesia System 3500
  • BD Pyxis™ MedStation 4000 T2
  • BD Pyxis™ MedStation ESv
  • BD Pyxis™ SupplyStation
  • BD Pyxis™ Supply Roller
  • BD Pyxis™ CIISafe – Workstation
  • BD Pyxis™ StockStation System

There are issues applying patches to correct the flaw affecting the following products, which require coordination with BD to correctly deploy the patches:

  • BD Pyxis™ ParAssist System
  • BD Pyxis™ Parx
  • BD Pyxis™ Parx handheld

BD is contacting customers who use those products to schedule a time to deploy the patches. BD has also suggested customers take other steps to reduce the risk associated with KRACK:

  • Ensure the latest recommended updates for Wi-Fi access points have been implemented in Wi-Fi enabled networks
  • Ensure appropriate physical controls are in place to prevent attackers from being within physical range of an affected Wi-Fi access point and client
  • Ensure data has been backed up and stored according to your individual processes and disaster recovery procedures

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On