14 DAY TRIAL // Older versions of CareFusion’s Pyxis SupplyStation have scores of security vulnerabilities that can be leveraged by remote attackers to alter the devices' normal mode of operation.
CareFusion’s Pyxis SupplyStation is an automated device that stores medical supplies of various categories, dispensing them to employees based on an access code or other credentials. It is used in many hospitals and private clinics and is mainly utilized in keeping track of inventories.
Two security researchers, Billy Rios and Mike Ahmadi, used automated security scanning tools on a decommissioned device and discovered a horde of security bugs. Taking their research further, they found that Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2 and 9.3 all have a total of over 1,400 security bugs.
Devices are running on EOL Windows XP machines
Because these devices were built to run a custom Windows XP build, all of these versions have reached end of life, but in many cases, the medical centers where they are deployed are continuing to use them.
The researchers warned ICS-CERT, who, together with BD, CareFusion's parent company and the device's manufacturer, has issued public alerts on this topic, warning hospital to upgrade to newer devices.
Out of the 1,418 vulnerabilities, security researchers say that 715 are considered to have a high severity score (CVSS between 7 and 10) while 606 are labeled with medium severity (CVSS between 4 and 6.9). Researchers and ICS-CERT specialists claim that, despite the fact that these devices are located in hospitals, attacking and exploiting Pyxis supply stations won't lead to the loss of human life.
Some mitigation techniques exist to protect existing equipment
Most of the vulnerabilities can be exploited remotely, and the researchers add they are mostly found in third-party components installed on the device, such as BMC Appsight 5.7, SAP Crystal Reports 8.5, Flexera Software Installshield, Sybase SQL Anywhere 9, Symantec Antivirus 9, and Symantec pcAnywhere 10.5.
Because not all medical care units can upgrade to a newer equipment due to prohibiting financial costs, BD has also published a series of mitigation techniques on its website so that healthcare providers can safeguard their gear.
These recommendations include the usage of VPN connections when the device needs to be accessed online, protecting the device with antivirus solutions, shielding the device behind a firewall, or isolating it from the Internet altogether.