A slew of devices from medical technology company Becton, Dickinson and Company (BD) are vulnerable to the infamous KRACK key-reinstallation attack, potentially enabling hackers to change and exfiltrate patient records.
The KRACK vulnerability, discovered last October, is an industry-wide glitch in the WPA and WPA2 protocol for securing Wi-Fi that can cause “complete loss of control over data,” according to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). It explained in an advisory that KRACK “could allow an attacker to execute a ‘man-in-the-middle’ attack, enabling the attacker within radio range to replay, decrypt or spoof frames.”
Versions of BD Pyxis, the company’s medication and supply management system, are impacted by the vulnerability, according to ICS-CERT. That includes 12 versions of the system, such as the BD Pyxis Anesthesia ES, BD Pyxis SupplyStation, and BD Pyxis Parx handheld. This means that patient information could be intercepted over Wi-Fi.
BD said in a product security bulletin that KRACK can be exploited from an adjacent network with no privileges or user interaction necessary. However, BD stated, the “attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills.”
As of now, there is currently no reported instance of the KRACK vulnerability being exploited maliciously against BD devices.
“BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity and availability of communication between a Wi-Fi access point and a Wi-Fi-enabled client such as a computer, phone, Wi-Fi base stations and other gear, even if the data is encrypted,” the company said in the bulletin.
Since disclosure of the KRACK vulnerability last year, several vendors have come forward issuing patches, including Apple, Cisco for 69 of its wireless products, Google for Android and Rockwell Automation for its Stratix wireless access points.
“The medical devices cybersecurity landscape is lagging behind in issuing patches to known vulnerabilities, as is exemplified by this series of KRACK vulnerabilities which have been known for a good half a year now,” Leon Lerman, CEO of healthcare cybersecurity firm Cynerio, told Threatpost.
BD, for its part, said it has implemented third-party vendor patches through BD’s routine patch deployment process that resolves these vulnerabilities for most devices, and that it is in the process of contacting users to schedule and deploy patches.
To mitigate risks, BD said that customers should ensure the latest recommended updates for Wi-Fi access points have been implemented in Wi-Fi enabled networks and ensure that appropriate physical controls are in place to prevent attackers from being within physical range of an affected Wi-Fi access point and client.
“BD customers should first and foremost cooperate with the vendor in order to deploy the patches accordingly,” Lerman said. “It’s also crucial to deploy a specialized solution that enables full visibility of all medical devices on the network in order to be able to detect anomalies and mitigate them in real time.”
KRACK targets the four-way handshake of the WPA2 protocol, which is executed when a client wants to join a protected Wi-Fi network. During this process, a network password is exchanged to authenticate the client and access point. The KRACK attacks manipulate and replay these cryptographic handshake messages. When this happens, the access point interprets it to mean that the handshake has been lost or dropped, and retransmits the third part of the handshake.
“By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted and/or forged,” according to researcher Mathy Vanhoef of The Katholieke Universiteit Leuven (KU Leuven), who discovered the flaw last fall, in a report. “The same technique can also be used to attack the group key, PeerKey, TDLS and fast-BSS-transition handshake.”