The Industrial Control Systems Cyber Emergency Response Team (ICS-Cert) has issued a medical advisory about vulnerabilities found in Stryker equipment.
Nine vulnerabilities were identified, affecting Secure II MedSurg Beds, S3 MedSurg Beds, and InTouch ICU Beds. The vulnerabilities could be potentially exploited to allow “data traffic manipulation, resulting in partial disclosure of encrypted communication or injection data”. The attacker need only be in radio range of the devices to perform a successful attack.
The vulnerabilities are present in the four-way handshake used by WPA and WPA2 wireless security protocols which allow nonce reuse in Key Reinstallation (KRACK) attacks. Similar vulnerabilities were identified in a wide range of wireless devices.
The nine vulnerabilities are summarised below:
CVE-2017-13077: Reinstallation of a pairwise key in the four-way handshake.
CVE-2017-13078: Reinstallation of group key in the four-way handshake.
CVE-2017-13079: Reinstallation of Integrity Group Temporal Key in the four-way handshake.
CVE-2017-13080: Reinstallation of group key in the group key handshake.
CVE-2017-13081: Reinstallation of Integrity Group Temporal Key in the group key handshake.
CVE-2017-13082: Reinstallation of Pairwise Transient Key Temporal Key in the quick BSS transmission handshake.
CVE-2017-13086: Reinstallation of Tunneled Direct-Link Setup Peer Key in the Tunneled Direct-Link Setup handshake.
CVE-2017-13087: Reinstallation of the Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.
CVE-2017-13088: Reinstallation of the Integrity Group Temporal Key when processing a Wireless Network Management Sleep Mode Response frame.
The group of vulnerabilities have collectively been assigned a CVSS v3 base score of 6.8, indicating that they are of medium severity. The flaws were identified by Mathy Vanhoef of imec-DistriNet, KU Leuven and reported to the National Cybersecurity & Communications Integration Center (NCCIC).
“This vulnerability is not known to have been exploited on any of Stryker’s products. As such to our knowledge, no data has been breached, no information has been accessed, and no damage has been done,” according to Stryker’s product security notice. The vulnerabilities do not affect the functionality of the products.
Mitigations
The KRACK vulnerability applies to iBed Wireless-enabled Secure II, S3 and InTouch beds that are wirelessly-connected to a hospital network
Software updates have been released by Stryker to mitigate the vulnerabilities:
Users of Gateway 2.0 should upgrade to software version 5212-400-905_3.5.002.01
Users of Gateway 3.0 should upgrade to software version 5212-500-905_4.3.001.01
No patch is available for Gateway 1.0.
All of Stryker’s new Medical Wireless products have had the patch applied, including S3 Products shipped as of November 7, 2018, and InTouch products shipped as of July 9, 2018. New wireless activations also include software addressing the vulnerabilities.
NCCIC reminded organisations “to perform proper impact analysis and risk assessment prior to deploying defensive measures”.