OTPulse

Stryker Medical Beds

MonitorCVSS 6.8ICS-CERT ICSMA-19-029-01Jan 29, 2019
HealthcareTransportation
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

This advisory addresses KRACK (Key Reinstallation AttaCK) vulnerabilities in the wireless connectivity of Stryker medical beds. These vulnerabilities allow attackers to manipulate encrypted data traffic, potentially disclosing or injecting data in wireless communications between the bed and hospital network infrastructure. The vulnerability affects S3 MedSurg Bed, Secure II MedSurg Bed, and InTouch ICU Bed models equipped with iBed Wireless or Bed Wireless functionality. Exploitation requires proximity to the wireless network (adjacent network access) and high technical skill.

What this means
What could happen
An attacker could intercept, decrypt, or alter wireless communications to and from patient beds, potentially exposing patient data or modifying bed control commands that affect patient positioning, rail operation, or other clinical functions.
Who's at risk
Healthcare facilities using Stryker patient beds with wireless capability should care about this vulnerability. It affects critical medical equipment in hospitals and care settings: S3 MedSurg Bed (models 3002 S3, 3005 S3), Secure II MedSurg Bed (model 3002), and InTouch ICU Bed (models 2131, 2141). Patient data privacy and bed safety systems are at risk.
How it could be exploited
An attacker positioned near the hospital or within range of the wireless network could perform a KRACK attack against the iBed Wireless encryption. By forcing key reinstallation, the attacker can decrypt or inject data into the wireless stream between the bed and the access point, potentially capturing patient information or sending unauthorized commands to the bed.
Prerequisites
  • Proximity to the hospital wireless network (adjacent network access, typically within ~100 meters)
  • High technical skill to execute KRACK attack
  • iBed Wireless or Bed Wireless feature enabled on the affected bed model
  • Target bed must be actively communicating over wireless
No patch available for some models (Gateway 1.0)Affects patient data confidentialityAffects medical device functionalityRequires adjacent network access (physically near hospital)High skill required to exploit
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (3)
3 pending
ProductAffected VersionsFix Status
S3 MedSurg Bed (enabled with iBed Wireless): Models 3002 S3 and 3005 S33002 S3 | 3005 S3No fix yet
Secure II MedSurg Bed (enabled with iBed Wireless): Model 30023002No fix yet
InTouch ICU Bed (enabled with Bed Wireless): Models 2131 and 21412131 and 2141No fix yet
Remediation & Mitigation
0/6
Do now
0/1
WORKAROUNDDisable iBed Wireless functionality on affected beds if wireless capability is not clinically necessary
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

HOTFIXFor Gateway 2.0-equipped beds: upgrade to software version 5212-400-905_3.5.002.01
HOTFIXFor Gateway 3.0-equipped beds: verify current software version 5212-500-905_4.3.001.01 is installed (patch already incorporated)
HARDENINGPlace wireless-enabled medical beds on a separate VLAN from other hospital networks
HOTFIXUpdate all Wi-Fi access points to the latest firmware version that includes KRACK patches
HARDENINGRestrict wireless network access to only authorized hospital devices and personnel
View full CISA ICS-CERT advisory
API: /api/v1/advisories/0b1078d6-f3d6-4781-b867-fa294884dcec

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Stryker Medical Beds | CVSS 6.8 - OTPulse