Kiosk Vulnerability Found Medication Dispensing Systems
Two medication dispensing systems from Becton Dickinson are affected by a vulnerability that could let attackers view and modify sensitive data.
Smart devices are all around us, and their online connection is what makes them useful. While this is certainly true for everyday items in the Internet for Things (IoT) ecosystem, such as smart speakers and fridges, it also applies to much more specialized equipment in the medical field.
An online connection for devices in the medical industry has an undisputed benefit, but it also opens the risk of being affected by vulnerabilities. A smart fridge with an exploit is, at most, an inconvenience, or it just another IoT bot in a vast attack network. But an exploit in a medical device can make the difference between life and death.
An advisory from Cybersecurity and Infrastructure Security Agency (CISA) explains the problems found with the BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System apparatus and details some mitigation steps that can be taken until a patch is issued and installed.
“The affected BD medical devices utilize a method of software application implementation called ’kiosk mode.’ This kiosk mode is vulnerable to local breakouts, which could allow an attacker with physical access to bypass kiosk mode and view and/or modify sensitive data,” says CISA in its advisory.
The two affected systems are Pyxis MedStation ES System, v1.6.1, and Pyxis Anesthesia (PAS) ES System, v1.6.1. Until the problem is fixed, medical professionals need to limit the use of these machines only to authorized users, to isolate impacted systems on the network, and to monitor and investigate unplanned reboots of the systems.
The vulnerability requires a low skill level to exploit, and the vulnerability was reported by the company that makes these devices, BD.CISA internet Internet of Things IoT vulnerability