Medical Devices Vulnerable To KRACK Wi-Fi Attacks

Medical devices made by New Jersey-based Becton, Dickinson and Company (BD) are vulnerable to a class of Wi-Fi security flaws disclosed last October, with the firm saying the bug could allow hackers to gain access to hospital networks.

The set of bugs, called KRACK attacks by the researcher who discovered them, allow an attacker to listen in on Wi-Fi networks that are thought to be secure, potentially decrypting information such as login credentials. KRACK stands for Key Reinstallation Attack.

The issues are unusual in that they affect the widely used WPA2 protocol, meaning that most protected Wi-Fi networks – those requiring a password to join – are vulnerable.

While BD is not the only medical device maker affected by the KRACK flaws, the firm’s advisory sheds light on the health sector’s broader response to the issues.


Data grab

“BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol,” the company said.

In its initial advisory last October BD said that affected hospital networks could see patient records changed or stolen and “major IT disruptions”.

In an update, the company said some of its products, including anaesthesia systems, handheld devices and workstations, sent unencrypted data over Wi-Fi networks. A hacker could use a KRACK attack to gain “complete” control of the data sent to and from those devices, BD said.

“Confidentiality and integrity are rated high (severity) as KRACK causes complete loss of control over unencrypted data,” BD said of those products.

No privileges or user interaction are required to exploit the flaws, BD said in its advisory.

Patches

But the firm said the danger was only “Medium” overall because KRACK exploits require the hacker to be in physical proximity to the network and to have “significant technical skills”.

Two other products were not vulnerable because of the strong AES 128 bit encryption they use.

BD said users should install patches, but noted that in some cases securing devices may depend on installing fixes for technologies from third parties. It also listed three BD Pyxis products that require coordination with customers to deploy patches, due to their design and functionality.

Hospital networks have seen trouble from other quarters as well, including a number of ransomware outbreaks and last year’s WannaCry malware, which caused significant disruption to the NHS.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago