FDA Issues Alert on Medical Device IPnet VulnerabilitiesAgency Warns That 11 Issues May Pose Risks to Devices, Networks
The Food and Drug Administration has issued an alert warning healthcare organizations about 11 vulnerabilities dubbed “URGENT/11” involving IPnet, a third-party software component that may introduce risks for certain medical devices and hospital networks.
To mitigate the risks, the FDA is advising healthcare providers that use affected devices to take several steps, including applying appropriate patches and using firewalls, virtual private networks or other technologies that minimize exposure to URGENT/11 exploitation.
The FDA alert issued Tuesday notes that researchers at security firm Armis have identified the vulnerabilities that could allow someone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.
"While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant," says Suzanne Schwartz, M.D., deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA's Center for Devices and Radiological Health, in a statement.
Schwartz adds: "The safety communication issued today contains recommendations for what actions patients, healthcare providers and manufacturers should take to reduce the risk this vulnerability could pose. It's important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures."
The FDA is not aware of any confirmed adverse events related to these vulnerabilities, the alert notes. “However, software to exploit these vulnerabilities is already publicly available,” it points out.
Former healthcare CISO Mark Johnson, who now works at the consulting firm LBMC Information Security, says that the FDA’s warning that the vulnerabilities are remotely exploitable and take a low skill level to exploit is “the worst combination … I don’t have to be in the same physical location, and it’s easy to do.”
Clyde Hewitt, executive vice president of security consultancy CynergisTek, offers a similar appraisal. "The IPnet software vulnerability exposes one of the most serious flaws found within the vendor supply chain – the lack of visibility into the systems, including the source code that drives our critical components."
Third-Party Software Components
The 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications between computers, the FDA notes.
”Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into other software applications, equipment and systems which may be used in a variety of medical and industrial devices that are still in use today,” the FDA warns.
Security researchers, medical device manufacturers, and the FDA are aware that some versions of operating systems from a number of vendors are affected, including:
- VxWorks by Wind River;
- Operating System Embedded, or OSE, by ENEA;
- Integrity by Green Hills;
- ThreadX by Microsoft;
- ITRON by TRON Forum;
- ZebOS by IP Infusion.
”Some medical device manufacturers are already actively assessing which devices that use these operating systems are affected by URGENT/11 and identifying risk and remediation actions,” the FDA notes.
”Several manufacturers have also notified their customers with devices determined to be affected so far, which include an imaging system, an infusion pump and an anesthesia machine,” the agency says.
The FDA expects that additional medical devices will be identified that contain one or more of the vulnerabilities associated with the original IPnet software.
On July 30, the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security also released an advisory about URGENT/11.
"We will continue to see these alerts as more and more security researchers look at these types of devices."
—Mark Johnson, LBMC Information Security
”Since publication of the advisory, the FDA became aware that these vulnerabilities may affect other operating systems that use the IPnet. Currently, VxWorks and IPnet are owned by Wind River,” the alert notes.
“IPnet was originally manufactured by Interpeak. Before Wind River purchased IPnet, Interpeak licensed this software to other Real Time Operating System, or RTOS, vendors to integrate into their operating systems. IPnet may also have been incorporated into other software applications, equipment and systems.”
DHS also issued an updated alert on Tuesday about the vulnerabilities.
That DHS alert notes that some device vendors affected by the reported vulnerabilities have also released security advisories related to their affected products. Among those companies are:
"Our early efforts suggest that the identified operating systems are present in a number of regulated medical devices," says the FDA in a statement provided to Information Security Media Group,
"We are continuing to work with various stakeholders and subject matter experts to obtain a better understanding. However, due to the complexities in how the code from the IPnet third-party software component was incorporated into various medical devices and the availability of the exact operating system versions impacted, it will be difficult to develop a comprehensive list."
Additionally, IPnet may have been incorporated into other software applications, equipment and systems, the FDA notes. "Medical device manufacturers are actively assessing which devices may be affected by these vulnerabilities and identifying risk and remediation actions. Manufacturers have been asked to evaluate the impact of these vulnerabilities on their devices and to communicate their findings and recommendations for risk reduction to their customers as they have the most knowledge regarding their products."
Steps to Take
The FDA outlined a number of steps that healthcare providers, manufacturers and patients should take to address the vulnerabilities.
The agency advises healthcare providers to work with device manufacturers to determine which devices may be affected by the URGENT/11 vulnerabilities and to develop risk mitigation plans to address the issues.
“Monitor your network traffic and logs for indications that an URGENT/11 exploit is taking place,” the FDA says. “Use firewalls, virtual private networks or other technologies that minimize exposure to URGENT/11 exploitation.”
Healthcare providers should also advise patients who use medical devices that may be affected, according to the alert. “Remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.”
In its recommendations to manufacturers, the FDA highlights the importance of conducting a risk assessment.
”Please keep in mind that the nature of the vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the affected device as normal and benign network communications, it may remain invisible to existing security measures,” the FDA warns.
”Work with the operating system vendor to identify if a patch is available and implement recommended mitigation methods. Medical device manufacturers will need to evaluate and validate the patch for their devices.”
Manufacturers should ensure that any mitigations that are currently employed - for example, firewalls and virtual private networks - are not impacted by URGENT/11, the FDA points out.
”Develop a plan for updating your medical device to accommodate a version of an OS - or a communication protocol - that is not impacted by the URGENT/11 vulnerabilities,” the alert urges.
Manufacturers also should work with healthcare organizations to determine affected medical devices and discuss and develop ways to ensure that risks are reduced to acceptable levels, the FDA says.
”Communicate with your customers and the user community regarding your assessment and recommendations for risk mitigation strategies and any compensating controls, to allow customers to make informed decisions about device use,” the alert states. “Provide an information sharing analysis organization with any customer communications upon notification of your customers.”
The FDA is also instructing manufacturers to report any medical devices vulnerable to the URGENT/11 flaw to DHS.
The FDA’s alert notes that some customers bought a license of IPnet that allows them to continue to use an unsupported version, Johnson of LBMC Information Security says. “This is where the problem comes in for those med device manufacturers. They have built their devices and may or may not be able to use a better, new version of IPnet.”
Operating systems are made up of component parts from different manufacturers, he notes. “Software manufacturers who are more cyber mature have developed processes to watch for these kinds of alerts from cybersecurity researchers and evaluate their software suites to see if they are effected and if they are, work on patches for them,” he says.
”It appears that the medical device manufacturers are beginning to do that as well. This is a very good thing,” he adds. “We will continue to see these alerts as more and more security researchers look at these types of devices.”
Hewitt of CynergisTek notes that in this latest situation involving URGENT/11, "we find that medical device manufacturers ... have leveraged third-party products in mission-critical roles. The end users of the devices rarely have an opportunity to review the risks of these collection of parts and must rely on vendors to keep track. When third parties cease to support legacy software or even go out of business, no one is available to perform software updates or even test the systems against emerging threats. The problem will only get worse as code reuse and device lifecycles extend."
These types of supply chain-related vulnerability issues will continue and potentially worsen, he says. "We have also seen an emergence of directed attacks higher up in the value chain as malicious actors are taking advantage of legacy vulnerabilities to have a maximum impact on a domain."