KRACK Wi-Fi vulnerability can expose medical devices, patient records

The Wi-Fi vulnerability can be used to steal and tamper with patient records.

KRACK bug puts hospital IT infrastructure at risk The Wi-Fi vulnerability can be used to steal and tamper with patient records.

Medical devices produced by Becton, Dickinson and Company (BD) are vulnerable to the infamous KRACK bug, potentially exposing patient records.

Discovered in October, KRACK, which stands for Key Reinstallation Attack, exploits a flaw in the Wi-Fi Protected Access II (WPA2) protocol which is used to secure modern wireless networks.

If exploited, KRACK gives threat actors the key required to join wireless networks which would otherwise require a password for authentication.

Once they have joined, they can snoop on network traffic, perform Man-in-The-Middle (MiTM) attacks, hijack connections, and potentially send out crafted, malicious network packets.

In a security bulletin, BD said that successful exploit in a select range of products could also lead to patient record changes or exfiltration, as well as major IT disruptions.

"BD is monitoring the developing situation with a recently disclosed set of vulnerabilities found in the WPA2 protocol affecting confidentiality, integrity, and availability of communication between a Wi-Fi access point and a Wi-Fi enabled client such as a computer, phone, Wi-Fi base stations, and other gear, even if the data is encrypted," the company said.

Products including medical supply and management systems, such as the BD Alaris Gateway Workstation, Pyxis Anesthesia ES, Anesthesia System 4000, MedStation ES, and Parx handheld are impacted by the security flaw, among others.

According to the medical device manufacturer, KRACK can be exploited from an adjacent network, and no privileges or direct user interaction is necessary.

The company, however, is keen to emphasize that compromising devices through this method involves "high attack complexity," as well as proximity to an affected Wi-Fi access point and "significant technical skills."

There are no reported cases of the KRACK vulnerability being used in attacks against these medical devices.

See also: Industroyer: An in-depth look at the culprit behind Ukraine's power grid blackout

BD has deployed fixes and third-party vendor patches through a routine patch deployment process to protect some vulnerable devices, and others will be resolved soon as vendors are currently being contacted for patch scheduling.

"In order to prevent such issues, remediating KRACK will require a series of actions to be taken by the IT Department in healthcare facilities and vendors on which BD depends," the company says.

KRACK's potential for disruption and compromise spanned countless devices and systems due to the widespread use of WPA2. Companies including Apple, Google, Cisco, and Intel have all released fixes to protect users against exploitation.

Previous and related coverage