Naked Security Naked Security

Medical devices vulnerable to KRACK Wi-Fi attacks

Some KRACKs still haven't been papered over.

Medical devices from Becton, Dickinson and Company (BD) that rely on Wi-Fi networks encrypted by Wi-Fi Protected Access II (WPA2) encryption are vulnerable to the KRACK Wi-Fi attacks, the company said in a security advisory.
The advisory is an update of one first issued when KRACK appeared in October 2017.

BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity, and availability of communication between a Wi-Fi access point and a Wi-Fi enabled client such as a computer, phone, Wi-Fi base stations, and other gear, even if the data is encrypted.

BD is far from the only healthcare devices maker, or device maker in any industry, with vulnerable products. But with BD and other medical device makers, that means devices used to monitor and treat patients, including, for example, anesthesia systems.
The security bulletin provides a list of vulnerable devices, including medical supply and management systems such as the BD Alaris Gateway Workstation, Pyxis Anesthesia ES, Anesthesia System 4000, MedStation ES, and Parx handheld, among others.


KRACK isn’t just one bug. It’s a collection of similar bugs, called the KRACK Attacks, that were discovered in October 2017, triggering breathless, apocalyptic warnings about the end of Wi-Fi as we know it.
In the event the world did what it normally ends up doing in the face of whatever this month’s cyberapocalypse is: it patched what it could and moved on.
KRACK – which stands for Key Reinstallation Attack – works by exploiting a flaw in WPA and WPA2 protocol encryption, which these days covers most wireless access points where encryption has been turned on.
BD said that as far as medical devices go, nobody’s yet reported a successful malicious exploit of the vulnerability. The company said that a successful attack would in fact be tough to pull off, given that it would have to come from nearby and would take some skill:

KRACK can be exploited from an adjacent network. The attack complexity is high as it requires proximity to an affected Wi-Fi access point and significant technical skills.

Be that as it may, an attack would require no privileges, nor any direct user interaction. If the vulnerability were to be successfully exploited, BD said that attackers could change patient records and/or steal data, as well as inflict “major IT disruptions.”
To avoid that grim outcome, healthcare facilities’ IT departments and the vendors on which BD depends are going to have to take action, it said.
What action? Patch what you can and move on of course.
The company says it’s implemented third-party vendor patches through its routine patching process and gave a vulnerable list of products that have already been patched. It’s currently contacting more vendors to schedule more patches.
What spooked people about KRACK was its scale – the bugs affected the Wi-Fi encryption used to secure most of the world’s wireless networks and countless devices and systems that use WPA were vulnerable.
Fortunately, and as you might expect, patches were forthcoming: Apple was fast out of the gate with a patch to keep (some) iPhone users from being exploited, as we reported in early November 2017… Ditto for Aruba, Cisco and Intel, among others.
In December, Apple also threw the security blanket around iOS 11.2, which meant KRACK patches for the devices that were left out in the cold the first time around.
BD recommends that users of its products also take these steps to reduce the risk of KRACK attacks:

  • Make sure your Wi-Fi access points have the latest recommended updates.
  • Use physical controls to prevent attackers getting in range of affected Wi-Fi devices.
  • Backup data and implement appropriate disaster recovery procedures

The rest of us can use KRACK as a reminder that no matter what this month’s cyberapocalypse is, defence in depth is the best strategy. With that in mind, the advice our own Paul Ducklin put forward when the KRACKs first appeared is worth another look:

  • Apply KRACK patches for your clients (and access points) as soon as they are available.
  • Treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
  • Use HTTPS wherever websites allow it so your web browsing is encrypted.
  • Consider using a VPN, so that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.