FDA issues warning about Urgent/11 vulnerabilities putting critical medical devices at risk
Featuring commentary by George Gray, CTO, and VP of Research & Development, Ivenix
The U.S. Food and Drug Administration is warning healthcare providers and device manufacturers about potentially serious security flaws that may introduce risks for hospital networks and thousands of medical devices.
The security flaws can be traced back to a network protocol created nearly two decades ago that became an industry standard.
The FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities is already publicly available, the agency said in a safety advisory issued Tuesday. Devices determined to be affected so far include an imaging system, an infusion pump and an anesthesia machine, the FDA said.
Researchers at security firm Armis Security originally identified 11 vulnerabilities comprising a suite of network protocol bugs, named Urgent/11, that exist in IPnet, a third-party software component that supports network communications between computers. These vulnerabilities may allow anyone to remotely take control of a medical device and change its function, cause denial of service or cause information leaks or logical flaws that may prevent device function, the FDA stated.
The flaws impact devices going back to an earlier version of a real-time operating system called VxWorks in 2006, including routers, modems, firewalls, printers, VoIP phones, SCADA systems, internet of things and even MRI machines and elevators.
“Urgent/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks,” Armis researchers wrote in a blog post.
Such an attack has a severe potential for harm resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware.
“Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems that may be used in a variety of medical and industrial devices that are still in use today,” the FDA stated.
The Urgent/11 vulnerabilities may impact devices using real-time operating systems that supported IPnet TCP/IP stack, including VxWorks by Wind River, Operating System Embedded (OSE) by ENEA, Integrity by Green Hills, ThreadX by Microsoft, ITRON by TRON Forum and ZebOS by IP Infusion, the FDA said.
Armis Security researchers said devices using the operating system Nucleus RTOS by Mentor also may be impacted. The Department of Homeland Security issued an updated security advisory about the cybersecurity vulnerabilities Tuesday.
Armis released URGENT/11 Detector, a free, downloadable tool designed to detect devices vulnerable to Urgent/11 regardless of the real-time operating system the device uses.
George Gray, chief technology officer of medical device company Ivenix, said many medical devices are difficult to update and often are not getting updated unless a serious problem exists.
“As a result, though IPnet may no longer be officially supported by these operating systems, it could still be running in existing medical devices. The best way for a hospital engineer to find out whether this affects their devices is to contact their vendors directly. And, if vulnerable, pull the affected devices off the network until a security update can be made available,” he said.
Read the Full Article >