Millions of medical devices using old code are open to attack, FDA says
The recent discovery highlights an alarming cybersecurity vulnerability in the health care industry.
- In July, the security firm Armis Security discovered network protocol bugs in a software component that supports many medical devices operating today.
- Now, the FDA and security researchers say that these vulnerabilities extend to more devices than initially thought.
- Fortunately, a large-scale attack seems impossible.
The Food and Drug Administration is warning hospitals and healthcare providers about decades-old cybersecurity vulnerabilities that could mean millions of medical devices are, and have for years been, open to attack.
In July, the security firm Armis Security discovered a suite of 11 network protocol bugs, named Urgent/11, within IPnet, a software component that supports network communications. These bugs could allow hackers to take control of certain medical devices and change their function, cause a denial of service, or cause information leaks or logical flaws that may prevent the device from functioning correctly, the FDA stated.
"Urgent/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions," Armis researchers wrote in a blog post. "These devastating traits make these vulnerabilities 'wormable,' meaning they can be used to propagate malware into and within networks."
This week, security researchers and government officials warned that these bugs aren't limited to platforms running IPnet, but also other distinct platforms that have incorporated the same decades-old code.
"Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support," the FDA wrote in a statement. "Therefore, the software may be incorporated into other software applications, equipment, and systems which may be used in a variety of medical and industrial devices that are still in use today."
What kinds of devices might be vulnerable? Patient monitors, infusion pumps, cameras, printers, routers, Wi-Fi mesh access points, and a Panasonic doorbell camera, to name a few. But fortunately, a large-scale attack is likely impossible because, as a BD Alaris spokesperson told WIRED, hackers would need to target each device individually. Also, hackers wouldn't be able to, for example, interrupt an in-process infusion.
Still, the discovery highlights a problem in the healthcare industry: most medical devices are hard to update, and don't get updated unless a serious problem occurs.
"It's a mess and it illustrates the problem of unmanaged embedded devices," said Ben Seri, vice president of research at Armis. "The amount of code changes that have happened in these 15 years are enormous, but the vulnerabilities are the only thing that has remained the same. That's the challenge."
Some operating that might be affected include:
- VxWorks (by Wind River)
- Operating System Embedded (OSE; by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON Forum)
Armis released a free urgent11-detector tool that's able to detect whether a system, on any operating system, is vulnerable to Urgent/11. The FDA also published a list of recommendations for health care providers, patients, and caregivers on its website.
The pandemic reminds us that our higher education system, with all its flaws, remains a key part of our strategic reserve.
- America's higher education system is under great scrutiny as it adapts to a remote-learning world. These criticisms will only make higher ed more innovative.
- While there are flaws in the system and great challenges ahead, higher education has adapted quickly to allow students to continue learning. John Katzman, CEO of online learning organization Noodle Partners, believes this is cause for optimism not negativity.
- Universities are pillars of scientific research on the COVID-19 frontlines, they bring facts in times of uncertainty and fake news, and, in a bad economy, education is a personal floatation device.
Researchers present what they’ve learned now that they can read the tiny text inside the Antikythera mechanism.
Though it it seemed to be just a corroded lump of some sort when it was found in a shipwreck off the coast of Greece near Antikythera in 1900, in 1902 archaeologist Valerios Stais, looking at the gear embedded in it, guessed that what we now call the “Antikythera mechanism" was some kind of astronomy-based clock. He was in the minority—most agreed that something so sophisticated must have entered the wreck long after its other 2,000-year-old artifacts. Nothing like it was believed to have existed until 1,500 years later.
The institutional barriers that have often held creative teaching back are being knocked down by the coronavirus era.
- Long-held structures in the education system, like classroom confines and schedules, have held back innovation for a long time, says education leader Richard Culatta.
- In the coronavirus era, we have been able to shake some of those rigid structures loose, making way for creativity and, ultimately, a more open mindset.
- When creativity and technology combine, learning can become so much more than delivering content to a student. Culatta gives two stunning examples: one of a biotech class, and another involving a student discovering a star.
We'd like to think that judging people's worth based on the shape of their head is a practice that's behind us.
'Phrenology' has an old-fashioned ring to it. It sounds like it belongs in a history book, filed somewhere between bloodletting and velocipedes.
Maybe you've been wondering if you're seeing one persistent squirrel or a rotating cast of characters.