Stryker Medical Beds

Monitor6.8ICS-CERT ICSMA-19-029-01Jan 29, 2019

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

This advisory addresses KRACK (Key Reinstallation AttaCK) vulnerabilities in the wireless connectivity of Stryker medical beds. These vulnerabilities allow attackers to manipulate encrypted data traffic, potentially disclosing or injecting data in wireless communications between the bed and hospital network infrastructure. The vulnerability affects S3 MedSurg Bed, Secure II MedSurg Bed, and InTouch ICU Bed models equipped with iBed Wireless or Bed Wireless functionality. Exploitation requires proximity to the wireless network (adjacent network access) and high technical skill.

What this means

What could happen

An attacker could intercept, decrypt, or alter wireless communications to and from patient beds, potentially exposing patient data or modifying bed control commands that affect patient positioning, rail operation, or other clinical functions.

Who's at risk

Healthcare facilities using Stryker patient beds with wireless capability should care about this vulnerability. It affects critical medical equipment in hospitals and care settings: S3 MedSurg Bed (models 3002 S3, 3005 S3), Secure II MedSurg Bed (model 3002), and InTouch ICU Bed (models 2131, 2141). Patient data privacy and bed safety systems are at risk.

How it could be exploited

An attacker positioned near the hospital or within range of the wireless network could perform a KRACK attack against the iBed Wireless encryption. By forcing key reinstallation, the attacker can decrypt or inject data into the wireless stream between the bed and the access point, potentially capturing patient information or sending unauthorized commands to the bed.

Prerequisites

Proximity to the hospital wireless network (adjacent network access, typically within ~100 meters)
High technical skill to execute KRACK attack
iBed Wireless or Bed Wireless feature enabled on the affected bed model
Target bed must be actively communicating over wireless

No patch available for some models (Gateway 1.0)Affects patient data confidentialityAffects medical device functionalityRequires adjacent network access (physically near hospital)High skill required to exploit

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 pending

ProductAffected VersionsFix Status

S3 MedSurg Bed (enabled with iBed Wireless): Models 3002 S3 and 3005 S33002 S3 | 3005 S3No fix yet

Secure II MedSurg Bed (enabled with iBed Wireless): Model 30023002No fix yet

InTouch ICU Bed (enabled with Bed Wireless): Models 2131 and 21412131 and 2141No fix yet

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDDisable iBed Wireless functionality on affected beds if wireless capability is not clinically necessary

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXFor Gateway 2.0-equipped beds: upgrade to software version 5212-400-905_3.5.002.01

HOTFIXFor Gateway 3.0-equipped beds: verify current software version 5212-500-905_4.3.001.01 is installed (patch already incorporated)

HARDENINGPlace wireless-enabled medical beds on a separate VLAN from other hospital networks

HOTFIXUpdate all Wi-Fi access points to the latest firmware version that includes KRACK patches

HARDENINGRestrict wireless network access to only authorized hospital devices and personnel

CVEs (1)

CVE-2017-13077

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0b1078d6-f3d6-4781-b867-fa294884dcec