KRACK Wi-Fi flaw puts medical devices at risk

By Jessica Davis
04:35 PM
Share
Discovered in October, the fundamental WP2 protocol vulnerability can cause a complete loss of control of data and let a hacker launch a man-in-the-middle attack.
KRACK Wi-Fi flaw puts medical devices at risk

Medical devices manufactured by medical technology vendor Becton, Dickinson and Company are vulnerable to the notorious KRACK bug, which could potentially expose patient records, according to an ICS-CERT alert.

Discovered last October, KRACK is an industrywide fundamental operation flaw in the Wi-Fi Protected Access II (WPA2) protocol, meant to secure all modern protected Wi-Fi networks. If exploited, it would cause a complete loss of control over data and allow a hacker to launch a man-in-the-middle attack.

[Also: DHS: KRACK vulnerability puts every Wi-Fi connection at risk]

Some versions of BD Pyxis, its medication and supply management system, are impacted by this vulnerability, including 12 versions of the system such as the BD Pyxis SupplyStation, Pyxis Anesthesia ES and BD Pyxis Parx handheld.

The flaw could allow all patient data to be intercepted over Wi-Fi.

The KRACK flaw can be exploited through an adjacent network without user privileges or user interaction, according to a BD security bulletin. But a hacker would have to have significant technical skills and be in proximity of an affected Wi-Fi access point.

[Webinar: Understand your cybersecurity threats]

“There is currently no reported verified instance of the KRACK vulnerability being exploited maliciously against medical devices,” according to the alert. “However, if KRACK is successfully exploited in healthcare facilities, it’s been reported that affected hospital networks could experience patient record changes and or exfiltration and major IT disruptions.”

Currently, BD is monitoring the situation with “vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity and availability of communication between a Wi-Fi access point and a Wi-Fi enabled client,” even if data is encrypted.

BD deployed fixes and patches to third-party vendors through routine patch deployment for some of the vulnerable devices. Officials said the other issues will be resolved once patch scheduling is established.

“In order to prevent such issues, remediating KRACK will require a series of actions to be taken by the IT Department in healthcare facilities and vendors on which BD depends," officials wrote.

Due to the widespread use of WPA2, companies like Apple, Cisco and Google already have released patches to protect their products against exploitation of this flaw.

Healthcare Security Forum

The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com