FDA issues warning about Urgent/11 vulnerabilities putting critical medical devices at risk

The U.S. Food and Drug Administration is warning healthcare providers and device manufacturers about potentially serious security flaws that may introduce risks for hospital networks and thousands of medical devices.

The security flaws can be traced back to a network protocol created nearly two decades ago that became an industry standard.

The FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities is already publicly available, the agency said in a safety advisory issued Tuesday. Devices determined to be affected so far include an imaging system, an infusion pump and an anesthesia machine, the FDA said.

Researchers at security firm Armis Security originally identified 11 vulnerabilities comprising a suite of network protocol bugs, named Urgent/11, that exist in IPnet, a third-party software component that supports network communications between computers. These vulnerabilities may allow anyone to remotely take control of a medical device and change its function, cause denial of service or cause information leaks or logical flaws that may prevent device function, the FDA stated.

The flaws impact devices going back to an earlier version of a real-time operating system called VxWorks in 2006, including routers, modems, firewalls, printers, VoIP phones, SCADA systems, internet of things and even MRI machines and elevators.

RELATED: 82% of healthcare organizations have experienced an IoT-focused cyberattack, survey finds

"Urgent/11 is serious as it enables attackers to take over devices with no user interaction required, and even bypass perimeter security devices such as firewalls and NAT solutions. These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks," Armis researchers wrote in a blog post.

Such an attack has a severe potential for harm resembling that of the EternalBlue vulnerability, used to spread the WannaCry malware.

"Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment, and systems that may be used in a variety of medical and industrial devices that are still in use today," the FDA stated.

The Urgent/11 vulnerabilities may impact devices using real-time operating systems that supported IPnet TCP/IP stack, including VxWorks by Wind River, Operating System Embedded (OSE) by ENEA, Integrity by Green Hills, ThreadX by Microsoft, ITRON by TRON Forum and ZebOS by IP Infusion, the FDA said.

Armis Security researchers said devices using the operating system Nucleus RTOS by Mentor also may be impacted. The Department of Homeland Security issued an updated security advisory about the cybersecurity vulnerabilities Tuesday.

Armis released URGENT/11 Detector, a free, downloadable tool designed to detect devices vulnerable to Urgent/11 regardless of the real-time operating system the device uses. 

George Gray, chief technology officer of medical device company Ivenix, said many medical devices are difficult to update and often are not getting updated unless a serious problem exists.

"As a result, though IPnet may no longer be officially supported by these operating systems, it could still be running in existing medical devices. The best way for a hospital engineer to find out whether this affects their devices is to contact their vendors directly.  And, if vulnerable, pull the affected devices off the network until a security update can be made available," he said.

RELATED: Microsoft warns flaw in Windows legacy systems 'likely to be exploited' similar to WannaCry

Wired reported that Microsoft absorbed ThreadX through an April acquisition of the real-time IoT company Express Logic. A Microsoft spokesperson told WIRED in a statement that, "We’ve investigated these reports and confirmed that these vulnerabilities do not impact any ThreadX release." This doesn't preclude the possibility, though, that there are vulnerable devices out there running versions of ThreadX alongside an IPnet license, Wired said.

The FDA said some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by Urgent/11 and identifying risk and remediation actions. The FDA expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software. 

In July, Armis originally discovered 11 zero-day vulnerabilities in VxWorks, which the security firm calls "the most widely used operating system you may never heard about." VxWorks is used by over 2 billion devices including critical industrial, medical and enterprise devices.

"The primary users of RTOSs are critical devices such as medical devices, which can have exceptionally long life-cycles, making them especially prone to vulnerabilities in legacy 3rd party code," Armis researchers wrote.

An example of such a device is the widely used, prominent Alaris infusion pump from Becton Dickinson (BD). The Alaris infusion pump runs on ENEA’s OSE with the IPnet TCP/IP stack and is therefore affected by Urgent/11, according to Armis.

RELATED: Report: 40% of healthcare organizations hit by WannaCry in past 6 months

A BD Alaris spokesperson told Wired that the vulnerabilities could not be exploited en masse on an Alaris PC Unit. BD Alaris published a list of mitigation techniques in its product security bulletin, including a specific firewall rule to block any remote attempts to exploit the IPnet bugs. 

VxWorks and IPnet are owned by Wind River, but IPnet was originally manufactured by Interpeak in the early 2000s. Before Wind River purchased IPnet, Interpeak licensed this software to other operating system vendors to integrate into their systems. IPnet may also have been incorporated into other software applications, equipment and systems, the FDA warned.

Following Armis' July blog post about the security flaws, various companies issued over 30 security advisories detailing prominent devices impacted, including leading global medical technology companies like GE Healthcare, Philips, Drager and now BD. The updated list of advisories can be found here.

Spacelabs also provided an advisory on its Xprezzon patient monitor, which is impacted by Urgent/11 via use of IPnet in VxWorks v6.6, which was released 12 years ago, Armis wrote.