Cybersecurity researchers have identified 11 vulnerabilities that could allow anyone to remotely take control of an imaging system, an infusion pump or an anesthesia machine, according to the FDA. More types of devices may be affected as well.
The vulnerabilities, called URGENT/11, allow attacks to occur undetected. They may be interpreted by the affected device as normal and benign network communications, making it invisible to existing security measures, according to the agency. Enterprise security IoT company Armis first discovered the vulnerabilities in widely used operating system VxWorks in July 2019.
Attackers could change a device’s function, cause a denial of service, or cause information leaks or logical flaws that could prevent the device from working. The FDA said it is not aware of any adverse events related to the vulnerabilities, but said that software to exploit them is already publicly available.
“These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks,” Armis said on its website. “Such an attack has a severe potential, resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware.”
These vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support, the agency said. Therefore, the software may be incorporated into other software applications, equipment, and systems that may be used in a variety of medical and industrial devices that are still in use today.
The FDA said that some versions of the following operating systems are affected, although the vulnerable IPnet software component may not be included in all versions:
- VxWorks by Wind River.
- Operating System Embedded (OSE) by ENEA.
- Integrity by Green Hills.
- ThreadX by Microsoft.
- Itron by Tron Forum.
- ZebOS by IP Infusion.
Other operating systems that use the IPnet may also be affected, the agency said. Wind River owns VxWorks and IPnet, and IPnet was originally manufactured by Interpeak. Before Wind River purchased IPnet, Interpeak licensed this software to other real-time operating system (RTOS) vendors to integrate into their operating systems. IPnet may also have been incorporated into other software applications, equipment and systems, the agency said.
Medical devices are the primary users of RTOSs, according to Armis. Their exceptionally long life-cycles make them especially prone to vulnerabilities in legacy third party code, the company said. Artis cited BD’s Alaris infusion pump, which runs on ENEA’s OSE with the IPnet TCP/IP stack, and is therefore affected by URGENT/11.
The vulnerability in the Alaris pump has not been exploited, according to BD, but even if it was, the probability of harm is unlikely considering each individual device would need to be targeted via an exploit. Details about the Alaris vulnerabilities may be found here.
“There is a highly detectable audible and visual alarm and an exploit would not interrupt infusions,” the company said in an email to MassDevice. “There is also a simple firewall rule that can be implemented to mitigate the vulnerability.”
Other medical device manufacturers are assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions. Several have also notified their customers and consumers with devices that are affected, the FDA said. The agency expects that additional affected devices will be identified.
The FDA is urging manufacturers to:
- Conduct a risk assessment of their devices according to its postmarket guidance and to develop mitigation plans.
- Work with the operating system vendor to identify if a patch is available and implement recommended mitigation methods.
- Evaluate and validate the patch for their devices, and ensure any mitigations they employ (for example, firewalls, virtual private network (VPN)) are not affected by URGENT/11.
- Report medical devices they’ve identified as vulnerable to URGENT/11 to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The FDA in recent years has increasingly paid attention to medtech’s cybersecurity challenges, publishing its first premarket cybersecurity guidance in 2014 and a postmarket guidance in 2016. In October 2018, the agency issued an updated draft premarket guidance that includes some postmarket information. It also held a public workshop in January to get feedback on that guidance and worked on a joint security plan.