Totalys MultiProcessor

2022: Becton Dickinson admits holes in cervical research device

On October 4, 2022, Becton Dickinson (BD) reported the discovery of a dangerous vulnerability in a tool used to analyze cervical cytology samples.

We are talking about the Totalys MultiProcessor laboratory system. The problem (CVE-2022-40263 identifier) is due to the fact that the device uses hard-coded credentials. This allows an attacker with network or physical access to unauthorized viewing, changing and deleting protected and personal information. This can be, in particular, electronic medical records and other information. An attacker, for example, can associate study results with another patient, thereby affecting the course of treatment.

Becton Dickinson admits holes in Totalys MultiProcessor device

The problem affects the BD Totalys MultiProcessor tool with firmware version 1.70 and earlier. Information about the vulnerability has already been sent to a number of organizations, including the US Food and Drug Administration (FDA) and the US Cybersecurity and Infrastructure Protection Agency (CISA). Gap received a rating of 6.6 on a 10-point scale. This means the ability to access secure information under certain conditions.

In the current quarter, Becton Dickinson will release version 1.71 of the Totalys MultiProcessor software, in which the vulnerability will be fixed. Until then, it is recommended to restrict the access of unauthorized persons to the medical instrument, as well as disconnect it from the computer network. If network access is required, follow standard security policies and procedures. It is emphasized that today there is no information about ready-made exploits specifically aimed at this vulnerability.^[1][2][3]

Notes

Шаблон:Remarks