Feds Issue Alerts for Several Medical Device Security FlawsVulnerabilities Affect Certain Illumina and BD Products
Federal authorities have issued advisories about security vulnerabilities identified in several medical device products, including various genetic testing and sequencing devices from manufacturer Illumina Inc. and certain automated medication dispensing systems and microbiology software products from Becton, Dickinson & Co.
The U.S. Cybersecurity and Infrastructure Security Agency in its alert says the vulnerabilities include flaws that, if exploited, could allow attackers to gain access to data or in some cases control of the affected products.
CISA on Thursday issued about five vulnerabilities identified by an independent research firm in the Local Run Manager software contained in several Illumina in-vitro diagnostic, or IVD, devices and in research-use-only instruments, or RUOs.
The affected IVD products include Illumina NextSeq 550Dx: LRM Versions 1.3 to 3.1 and MiSeq Dx: LRM Versions 1.3 to 3.1, which are next-generation sequencing instruments.
The Food and Drug Administration, which issued a related alert for healthcare providers, says the affected Illumina IVD products are medical devices that may be specified either for clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions.
The Illumina RUO gear affected by the various vulnerabilities include NextSeq 500 Instrument: LRM Versions 1.3 to 3.1, NextSeq 550 Instrument: LRM Versions 1.3 to 3.1, MiSeq Instrument: LRM Versions 1.3 to 3.1, iSeq 100 Instrument: LRM Versions 1.3 to 3.1, and MiniSeq Instrument: LRM Versions 1.3 to 3.1.
The FDA in its alert for healthcare providers says the RUO devices are typically used in a development stage and are not for use in diagnostic procedures. But, it adds, many laboratories may be using the devices with tests for clinical diagnostic use.
The vulnerabilities are exploitable remotely and have a low attack complexity, CISA says. The Illumina vulnerabilities involve path traversal, unrestricted upload of file with dangerous type, improper access control, and cleartext transmission of sensitive information. The vulnerabilities were scored as having CVSS v3 base scores of between 7.4 and 10.0.
"Successful exploitation of these vulnerabilities may allow an unauthenticated malicious actor to take control of the affected product remotely and take any action at the operating system level," CISA warns. "An attacker could impact settings, configurations, software, or data on the affected product and interact through the affected product with the connected network."
"Illumina has confirmed a security vulnerability affecting software in certain Illumina desktop sequencing instruments," the company says in a statement provided to Information Security Media Group. "Illumina takes data privacy and cybersecurity very seriously and prioritizes instrument security and the protection of genomic and personal data."
The company says it has released a patch that protects against remote exploitation of the vulnerabilities and is developing a permanent remediation.
BD Product Vulnerabilities
CISA issued two separate alerts Monday pertaining to certain BD product security vulnerabilities. BD says it has voluntarily reported the issues to CISA, the FDA and the Health Information Sharing and Analysis Center.
The CISA alerts include a warning that exploitation of a "not using password aging" vulnerability identified in certain BD Pyxis automated medication dispensing system products that could allow an attacker to gain privileged access to the underlying file system or electronic protected health information or other sensitive information.
"Specific BD Pyxis products were installed with default credentials and may still operate with these credentials," CISA says. "There may be scenarios where BD Pyxis products are installed with the same default local operating system credentials or domain-joined server credentials that may be shared across product types," the alert says. A CVSS v3 base score of 8.8 has been assigned to the vulnerability, CISA says.
An advisory issued by BD about the vulnerability says the company is currently strengthening credential management capabilities in BD Pyxis products. "Service personnel are working with users whose domain-joined server credentials require updates," the company says.
"BD is piloting a credential management solution initially targeted for specific BD Pyxis product versions and will allow for improved authentication management practices with specific local operating system credentials," the company says. "Changes needed for installation, upgrade, or to applications are being evaluated as remediations."
Meanwhile, CISA in a separate alert also says certain versions of BD Synapsys, a microbiology informatics software platform, contain an "insufficient session expiration" vulnerability.
"An unauthorized physical breach of a BD Synapsys workstation would be negligible due to the sequence of events that must occur in a specific order, however successful exploitation of the vulnerability could lead to modification of ePHI, PHI, or PII," CISA says. "The result could cause delayed or incorrect treatment."
A CVSS v3 base score of 5.7 has been calculated for the vulnerability, CISA says.
BD in an advisory issued about the Synapsys vulnerability says BD Synapsys v4.20 SR2 will be released this month to remediate the flaw. Customers receiving BD Synapsys v4.30 will be allowed to upgrade to v5.10, which is expected to be available by August 2022, the company adds.
Some experts says that medical device makers can take a number of steps to improve the cybersecurity of premarket products and postmarket devices.
For premarket products, that includes the adoption of security development life cycle practices that help manufacturers involve cybersecurity in every part of the development process - starting from involving it in the planning and design, through development, testing and finally deployment, says Elad Luz, head of research at CyberMDX, which is now part of security firm Forescout.
"Every software product is likely to be vulnerable to something, and you can’t expect to find all of the flows by yourself, but you can expect locating and eliminating those low-hanging fruits to make it much more difficult and less attractive for attackers to exploit your devices," he says.
In terms of postmarket devices, Luz says it is critical for device makers to have a coordinated vulnerability disclosure program to help find issues related to their products and the appropriate partners to contact about the problems.
"Build security teams to constantly look for vulnerabilities and flows in your devices," he says. Luz notes that BD discovered the recent Synapsys and Pyxis device vulnerabilities internally, "which proves their investment in product security and by reporting it to CISA and H-ISAC they also demonstrate their care informing all stakeholders to have this fixed quickly," he says.
"The more medical manufacturers we see working this way, the sooner we can bridge the cybersecurity gap in healthcare."