Heads up! If you, your loved ones or your organization rely on medical devices that connect wirelessly to Wi-Fi networks, you need to be aware of this issue.
Why? This big security flaw can potentially allow hackers to gain access to patient records and even take over health care facilities and hospital networks.
Remember the KRACK Wi-Fi flaw that was publicly revealed in October 2017? It’s a widespread exploit that affects every WPA2 encrypted device in the world.
It’s a scary flaw since it can allow an attacker to intercept data from a nearby Wi-Fi network, including personal data, private messages, records and web activity. Basically, anything that’s normally protected and encrypted by the WPA2 standard.
The worst thing about this flaw is that it is inherent in the Wi-Fi standard itself and any implementation of WPA2 is likely susceptible. That means if left unpatched, every Wi-Fi gadget you own – smartphones, computers, routers, tablets – can be exploited.
And naturally, as this company just reminded the public again, the same is true with wireless medical devices.
Medical devices are not immune to KRACK
A number of medical devices from Becton, Dickinson and Company (BD) were found to be vulnerable to KRACK attacks.
In a recent update to a security advisory that was first published in October 2017 (when KRACK was first publicly disclosed), the company has listed its products that are affected by the vulnerability.
Affected systems include 12 versions of the company’s medical supply and management systems, BD Pyxis. Devices affected include the BD Alaris Gateway Workstation, BD Pyxis Anesthesia ES, BD Anesthesia System 4000, MedStation ES, and the BD Pyrix Parx handheld.
The company wrote that if the flaw is exploited, it “can potentially affect all business industries including the healthcare industry.” The advisory also warns that the flaw could allow attackers to manipulate network traffic and inject data into it.
However, BD stresses that KRACK “is NOT a BD-specific vulnerability, but could affect any Wi-Fi devices that use the WPA2 protocol.”
This means other wireless medical devices from other companies, not just BD, are equally vulnerable to KRACK attacks.
Therefore, the entire health industry should be aware that this exploit exists and medical devices should be reevaluated and patched accordingly to protect patients and consumers.
KRACK is short for Key Reinstallation Attack.
Basically, this is how it works. An attacker can capture data from a nearby WPA2 protected Wi-Fi network by impersonating it and cloning its MAC address (a MAC address is a Wi-Fi gadget’s unique network identifier).
Gadgets connecting to the original router can then be forced to connect to the attacker’s clone network first.
Before the flaw was discovered, WPA2 clients were protected from this switcheroo since unique keys are required to encrypt each block of data. Simply put, the keys from the real and the fake network won’t match, making the switch impossible.
However, KRACK uses a flaw in the WPA2 handshake system that allows the fake network to reuse the same keys over and over and make them valid again.
And because it affects the Wi-Fi standard instead, it persists across every gadget that uses WPA2.
However, since KRACK is all about faking an entire network, it can’t be used to steal Wi-Fi passwords nor attack the router itself.
It’s more useful for stealing information, man-in-the-middle attacks and spying on network traffic.
Protect your BD devices now
Well, KRACK is a really scary flaw indeed and it puts the once-trusted WPA2 security standard into a precarious position.
Fortunately, BD stated that there are no verified reports of KRACK attacks against its medical devices so far.
However, to protect your BD medical equipment from future KRACK attacks, do these necessary mitigations now.
Update your medical gadgets
So, the first order of business – make sure you keep all your Wi-Fi enabled medical gadgets updated with the latest software available.
BD has already deployed third-party KRACK vendor patches for these devices:
- BD Alaris™ Gateway Workstation
- BD Pyxis™ Anesthesia ES
- BD Pyxis™ Anesthesia System 4000
- BD Pyxis™ Anesthesia System 3500
- BD Pyxis™ MedStation 4000 T2
- BD Pyxis™ MedStation ESv
- BD Pyxis™ SupplyStation
- BD Pyxis™ Supply Roller
- BD Pyxis™ CIISafe – Workstation
- BD Pyxis™ StockStation System
Customers of the following systems are also being contacted to schedule and deploy the KRACK patches:
- BD Pyxis™ ParAssist System
- BD Pyxis™ Parx
- BD Pyxis™ Parx handheld
These two systems use AES 128-bit encryption for communication so NO patches are needed:
- BD Alaris™ PC Unit Model 8000
- BD Alaris™ PC Unit Model 8015
Update your router’s firmware
Router manufacturers have also rolled out their KRACK security patches by now. Make sure you check for any firmware update for your router and update it immediately.
In fact, although router manufacturers don’t tell you, checking for the latest firmware for your router at least every three months is one essential step in protecting your network.
Secure your Wi-Fi networks
Since KRACK hackers need to be near a network to clone it, unless someone nearby is a top-shelf hacker and is within physical range, make sure you have enough security around your vicinity and quickly report any suspicious activity.
In other news, this ransomware has a nasty new trick
Hospitals and healthcare facilities are also being hit by this nasty kind of malware and it looks like the cybercriminals behind it have a new trick up their sleeves. Whatever you do, don’t fall for it! Click here to learn why so.