Two cybersecurity vulnerabilities have been discovered in the firmware and web management of BD Alaris Gateway Workstations, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team has disclosed. The vulnerabilities, reported by medical device cybersecurity researchers at CyberMDX, could allow a malicious attacker to completely disable the device, install malware, or report false information. In extreme cases, the attacker could even communicate directly with pumps connected to the gateway to alter drug dosages and infusion rates.

These vulnerabilities were independently tested and validated before being confirmed by BD. Together with the U.S. Department of Homeland Security, the vendor and CyberMDX worked to assess the extent of the risk posed and to express that risk in terms of baseline Common Vulnerability Scoring System (CVSS) scores.

The vulnerability within the Alaris Gateway firmware was disclosed with a CVSS risk score of 10.0 (Critical) CVSS, while the web browser user interface of the Alaris gateway workstation was disclosed with a CVSS risk score of 7.3 (High) CVSS.

Alaris Gateway workstations (AGWs) are used to provide mounting, power, and communication support to infusion pumps. These devices are used in a wide range of therapies—including fluid therapy, blood transfusions, chemotherapy, dialysis, and anesthesia.

Researchers from CyberMDX discovered that AGWs are vulnerable to an exploit that could remotely manipulate firmware files. The attack, which requires no special privileges to execute, could, for example, be used to “brick” the AGW—freezing it until it is repaired by the manufacturer. More troubling, it also allows an attacker to manipulate gateway communication with connected infusion pumps. For some infusion pump models used in tandem with AGWs, a hacker could use the compromised gateway to prevent the administration of life-saving treatment or to alter intended drug dosages.

Following responsible disclosure guidelines, CyberMDX contacted BD, who conducted its own testing and confirmed the vulnerability. Both parties then worked with the regulatory bodies to see the process through. Because of the ease of attack, the remote nature and the high impact, the firmware vulnerability was given a severity score of 10 out of 10.