BD, CISA Warn of Security Flaw in Cancer Testing SystemFlaw Involves a Hard-Coded Credential, a Too-Common Medical Device Problem
A hard-coded credential vulnerability in medical laboratory equipment used for cervical cancer screenings could allow an attacker to modify sensitive patient information.
Advisories issued Tuesday by manufacturer BD and the Cybersecurity and Infrastructure Security Agency as part of a coordinated vulnerability disclosure say the flaw affects the BD Totalys MultiProcessor versions 1.70 and earlier.
BD reported the finding to CISA. There have been no reports of the vulnerability being exploited, including in clinical settings, the device maker says. The company declined to disclose the estimated number of installed Totalys MultiProcessor systems in use globally in an emailed response to Information Security Media Group's inquiry.
The affected product uses hard-coded credentials that could allow an attacker to access, modify or delete sensitive information, including electronic protected health information and personally identifiable information. The Totalys MultiProcessor system "combines full automation of the cell enrichment process for cervical samples, continuous chain of custody and customizable aliquots for ancillary testing," according to BD.
A successful attack on the cervical cancer devices could have a high impact, the company acknowledges. Hackers could modify health data, possibly causing lab results to be associated with the wrong patient, which would create the potential for bad clinical outcomes.
The company says the attack surface is limited, an opinion not necessarily shared by security experts. "A successful attack would involve the threat actor having access to Windows authentication credentials (remote workstation) or breaking out of kiosk mode (instrument) to gain access to the underlying Windows operating system," BD wrote in its advisory.
But hospitals aren't the hacker-resistant environment that patients might hope for, warns Daniel dos Santos, who heads research at security firm Forescout Technologies. "What we see in reality is that often it's easy to get network access to these devices physically at a hospital or in some cases they are even exposed online."
"Our advice is to make sure that these devices are in a well segmented network and that attackers cannot have access to them," he says.
The weakness is cataloged as CVE-2022-40263 with a CVSS v3 base score of 6.6.
Hard-coded credentials are a common security flaw in medical devices. Security researchers in 2013 found them on roughly 300 medical devices made by 40 vendors.
Their prevalence is either due to a deliberate design decision that's less common now or because developers left them in the device's code by mistake, dos Santos says. The cancer screening device's hard-coded credentials are not used directly by customers or end users to access the system.
A BD spokeswoman told ISMG that the company applies a cybersecurity risk framework to new products. "We have processes in place to assess and, if found, remediate potential security weaknesses such as hard-coded credentials in new products prior to release," she says.
BD says the vulnerability is scheduled to be remediated in the BD Totalys MultiProcessor version 1.71 software release expected in the fourth quarter of 2022.
The company recommends that customers using versions of the affected Totalys MultiProcessor that use hard-coded credentials ensure physical access controls are in place and only authorized end users have access to the affected product. If the Totalys MultiProcessor must be connected to a network, BD says, ensure that industry standard network security policies and procedures are implemented.
This isn't the first time a security warning has flagged a BD product for a hard-coded credential.
Previous warnings include certain Pyxis medication dispensing systems, Viper LT molecular diagnostics and Kiestra laboratory automation, he says (see: Feds Issue Alerts for Several Medical Device Security Flaws).
Medical device makers can avoid the use of hard-coded credentials in their products by implementing secure software development life cycle practices that include static analysis, security review and dynamic testing, says Dos Santos. "This way, hard-coded credentials can be detected before the devices are shipped to customers."