The Department of Homeland Security has disclosed that it has identified two cybersecurity vulnerabilities in the firmware and web management of BD Alaris Gateway Workstations. The vulnerabilities were discovered by healthcare cybersecurity firm CyberMDX.
The vulnerabilities discovered are of grave nature as these could allow malicious actors to hijack and remotely access and control the popular infusion pump. The infusion pump from Alaris delivers fluids into a patient’s body in a controlled manner. The cyber sleuths found that attackers could exploit the bugs to install firmware on pump’s onboard computer which runs on Windows CE, which actually controls the device.
On company blog, Jon Rabinowitz, VP marketing at CyberMDX wrote: “An attack of this sort can allow an attacker to disable the workstation, disrupt the workstation, disrupt the flow of electricity to care-critical infusion pumps, falsify pump status information (vital for the nursing staff), and in some cases even alter drug delivery.”
The flaw has been designated CVE-2019-10959. The DHS on a rare note rated the vulnerability with a score of 10.0. The second vulnerability with the pump was scored at 7.3 out of 10.0.