Millions of medical devices using old code are open to attack, FDA says
The recent discovery highlights an alarming cybersecurity vulnerability in the health care industry.
- In July, the security firm Armis Security discovered network protocol bugs in a software component that supports many medical devices operating today.
- Now, the FDA and security researchers say that these vulnerabilities extend to more devices than initially thought.
- Fortunately, a large-scale attack seems impossible.
The Food and Drug Administration is warning hospitals and healthcare providers about decades-old cybersecurity vulnerabilities that could mean millions of medical devices are, and have for years been, open to attack.
In July, the security firm Armis Security discovered a suite of 11 network protocol bugs, named Urgent/11, within IPnet, a software component that supports network communications. These bugs could allow hackers to take control of certain medical devices and change their function, cause a denial of service, or cause information leaks or logical flaws that may prevent the device from functioning correctly, the FDA stated.
"Urgent/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions," Armis researchers wrote in a blog post. "These devastating traits make these vulnerabilities 'wormable,' meaning they can be used to propagate malware into and within networks."
This week, security researchers and government officials warned that these bugs aren't limited to platforms running IPnet, but also other distinct platforms that have incorporated the same decades-old code.
"Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support," the FDA wrote in a statement. "Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today."
What kinds of devices might be vulnerable? Patient monitors, infusion pumps, cameras, printers, routers, Wi-Fi mesh access points, and a Panasonic doorbell camera, to name a few. But fortunately, a large-scale attack is likely impossible because, as a BD Alaris spokesperson told WIRED, hackers would need to target each device individually. Also, hackers wouldn't be able to, for example, interrupt an in-process infusion.
Still, the discovery highlights a problem in the healthcare industry: most medical devices are hard to update, and don't get updated unless a serious problem occurs.
"It's a mess and it illustrates the problem of unmanaged embedded devices," said Ben Seri, vice president of research at Armis. "The amount of code changes that have happened in these 15 years are enormous, but the vulnerabilities are the only thing that has remained the same. That's the challenge."
Some operating that might be affected include:
- VxWorks (by Wind River)
- Operating System Embedded (OSE; by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON Forum)
Armis released a free urgent11-detector tool that's able to detect whether a system, on any operating system, is vulnerable to Urgent/11. The FDA also published a list of recommendations for health care providers, patients, and caregivers on its website.
To create wiser adults, add empathy to the school curriculum.
- Stories are at the heart of learning, writes Cleary Vaughan-Lee, Executive Director for the Global Oneness Project. They have always challenged us to think beyond ourselves, expanding our experience and revealing deep truths.
- Vaughan-Lee explains 6 ways that storytelling can foster empathy and deliver powerful learning experiences.
- Global Oneness Project is a free library of stories—containing short documentaries, photo essays, and essays—that each contain a companion lesson plan and learning activities for students so they can expand their experience of the world.
Philosophers like to present their works as if everything before it was wrong. Sometimes, they even say they have ended the need for more philosophy. So, what happens when somebody realizes they were mistaken?
Sometimes philosophers are wrong and admitting that you could be wrong is a big part of being a real philosopher. While most philosophers make minor adjustments to their arguments to correct for mistakes, others make large shifts in their thinking. Here, we have four philosophers who went back on what they said earlier in often radical ways.
Just before I turned 60, I discovered that sharing my story by drawing could be an effective way to both alleviate my symptoms and combat that stigma.
I've lived much of my life with anxiety and depression, including the negative feelings – shame and self-doubt – that seduced me into believing the stigma around mental illness: that people knew I wasn't good enough; that they would avoid me because I was different or unstable; and that I had to find a way to make them like me.
A joint study by two England universities explores the link between sex and cognitive function with some surprising differences in male and female outcomes in old age.
- A joint study by the universities of Coventry and Oxford in England has linked sexual activity with higher cognitive abilities in older age.
- The results of this study suggest there are significant associations between sexual activity and number sequencing/word recall in men. In women, however, there was a significant association between sexual activity in word recall alone - number sequencing was not impacted.
- The differences in testosterone (the male sex hormone) and oxytocin (a predominantly female hormone) may factor into why the male cognitive level changes much more during sexual activity in older age.
Mathematicians studied 100 billion tweets to help computer algorithms better understand our colloquial digital communication.