The Department of Homeland Security (DHS) and the Food and Drug Administration (FDA) warns the public about the 11 vulnerabilities it discovered in many medical devices in the summer. Dubbed Urgent/11, the security issues may have wider implications than initially thought, reported ZDNet.
In previous reports, the FDA said that security flaws only affect the operating system VxWorks. Developed by Wind River, VxWorks is a real-time OS and used by different medical facilities. Devices vulnerable to this security issue include routers, firewalls, printers, and even industrial equipment.
Researchers from the digital security company Armis were the ones who found security flaws. According to them, the source of the vulnerability comes from IPnet, a TCP/IP networking library. Owned by Wind River, the software “helps support network communications between computers,” Medical Device Network said.
Armis said that the vulnerabilities can allow malicious parties to remotely access devices on susceptible networks, including patient monitors. Attackers can alter information, leak data and change functions of affected devices. Moreover, they can remotely execute malware, which can jeopardize the care provided by the hospital and received by patients.
However, the DHS and FDA are now reporting that the issue can affect more OSes that use TCP/IP services. The list now includes OSE, INTEGRITY, ThreadX, ITRON, and ZebOS. However, reports remind the public that there may be other operating systems that contain the vulnerabilities.
According to Medical Device Network, IPnet had been in use by other real-time OSes before being acquired by Wind River. These systems maintain the use of the software.
With this, the DHS encourages healthcare companies to conduct inspections on their devices and networks. The FDA also released an announcement advising hospitals and other facilities to perform similar checks.
ZDNet noted that the authorities were able to name two devices that are vulnerable to the Urgent/11. This includes the BD Alaris infusion pump and the Xprezzon patient monitor. The report reminds those concerned that more devices could be susceptible.
Armis moved to help in protecting potential victims by releasing a scanning tool. This program will scan the network to detect vulnerable devices and those that utilize the suspect IPnet networking stack.
Medical Device Network noted that the Urgent/11 “were identified before any great harm could be done.” Nevertheless, the report reminds users that elevating cybersecurity measures is necessary for light of various malicious cyber activities occurring lately.