Dive Brief:
- Becton Dickinson has disclosed a cybersecurity vulnerability that could allow an attacker to access and modify information on an instrument used to process cervical cytology samples.
- The vulnerability affects laboratory automation instrument Totalys MultiProcessor. Because the instrument uses hard-coded credentials, an attacker with physical or network access could see protected and personal information, the company said.
- BD plans to release a software update in the fourth quarter to fix the issue. Until then, the company is advising users to mitigate the threat by restricting access to the instrument.
Dive Insight:
BD found the vulnerability and disclosed it to the Cybersecurity and Infrastructure Security Agency. The vulnerability received a score of 6.6 on a 10-point threat scale, reflecting the potential for an attacker to access private information and the limited circumstances in which that would be possible.
“A successful attack would involve the threat actor having access to Windows authentication credentials (Remote Workstation) or breaking out of kiosk mode (Instrument) to gain access to the underlying Windows operating system. Any such attack would have high impact to the confidentiality and partial impact to the integrity and availability of the system, including potential access to sensitive information,” BD said in a statement on its website. An attacker could associate results with the wrong patient, thereby affecting their care, it added.
Until BD rolls out version 1.71 of the software to fix the problem, it should be possible to prevent attacks by other means, the company said. If the instrument does not need to be connected to a network, an attacker would need to physically interact with the device to exploit the vulnerability. BD is advising labs to limit access to authorized end users.
If a lab needs to connect the instrument to a network, it should ensure industry standard security policies and procedures are followed, according to BD. No known public exploits specifically target the vulnerability, which is not exploitable remotely.