The US Food and Drug Administration (FDA) issued a cybersecurity alert which warned device manufacturers and hospitals of 11 vulnerabilities found in one of the most widely used remote operating systems in the world.
The vulnerabilities affect IPnet TCP/IP stack, the third-party software component supported by VxWorks by Wind River, which originally came to the attention of security company Armis Labs in July. At that time, Armis worked with Wind River to develop fixes, patches and mitigation procedures, as well as to notify manufacturers of affected devices.
Now, Armis announced that other operating systems including Operating System Embedded (OSE) by ENEA, Integrity by Green Hills and ThreadX by Microsoft are also affected by these vulnerabilities, collectively known as URGENT/11. According to Armis, this expands the reach to potentially millions of additional medical, industrial and enterprise devices.
The vulnerabilities can allow attackers to control a device, deny service, cause information leaks and even shut down a device’s function. Attackers can surpass firewalls, bypass security and propagate malware through an internal network.
“Please keep in mind that the nature of the vulnerabilities allows the attack to occur undetected and without user interaction,” the FDA stated. “Because an attack may be interpreted by the affected device as normal and benign network communications, it may remain invisible to existing security measures.”
As an example, an attacker can infiltrate a hospital printer and make subtle changes that go unnoticed by existing security measures. Now that they’re in the network, the attacker can tap into patient monitors that run on the same operating system, thereby accessing patient data, vitals charts and manipulate notifications or alerts.
So far, the FDA has reported no adverse events associated with these cybersecurity vulnerabilities. However, manufacturers say that an imaging system, an infusion pump and an anesthesia machine were found to be affected.
Since July, Armis has released an arsenal of tools to determine which devices use IPnet through various operating systems plus additional information on the latest advisories.
The company says healthcare and manufacturing devices are especially prone to vulnerabilities in legacy code due to their significantly longer lifecycles and longer period of development and approval. In 2016, the Department of Homeland Security issued an advisory for a Becton, Dickinson and Company (BD) supply management system that was subject to a cybersecurity risk. To beef up security, regulators have been issuing draft guidance on cybersecurity measures and big pharma has been teaming up with software companies to leverage blockchain technologies.
The FDA is urging device manufacturers to develop risk mitigation plans, work with operating system vendors to develop patches, ensure firewalls or virtual private networks are not affected by URGENT/11 and communicate with patients, healthcare providers and facilities of how best to handle affected devices.