The U.S. Food and Drug Administration (FDA) issued a formal warning on Tuesday on vulnerabilities detected in decades-old software used in many of today's medical devices and hospital networks. 

The warning claims that 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications across computers. If these vulnerabilities are exploited, hackers are allowed to remotely control medical devices, change its functions, obstruct services, and trigger information leaks that could cause the devices to stop working. 

The creators of the original IPnet software, Interpeak, no longer support the software. However, there are manufacturers out there with a license without support, meaning it could be incorporated into other applications, equipment, and systems still being used in today's medical devices. 

The vulnerabilities discovered in the IPnet stack were originally found by IoT Security firm Armis back in July 2019, collectively known as URGENT/11. Consequently, over 30 vendors have issued security advisories about the vulnerabilities. 

Upon discovery, many thought the vulnerabilities only affected some versions of the operating system Wind River VxWorks, but the real impact is much greater because the IPnet software was licensed and used on multiple operating systems. 

The FDA warns that some versions of operating systems Integrity by Green Hills, ThreatX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component. 

So far, an imaging system, an infusion pump, and an anesthesia machine have been found with the impacted vulnerabilities, but the FDA warns that it expects additional medical devices to be identified that contain one or more of the vulnerabilities. 

All of IPnet's vulnerabilities have been identified as Zero-Day, meaning they've existed since the software's creation. 

This news comes on the heels of the new 45-page document Principles and Practices for Medical Device Cybersecurity, released this week by the International Medical Device Regulators Forum (IMDRF). The guidance was developed by the FDA and Health Canada and says about third-party components, "These components can create a risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices." The report added, "post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."

Health data and medical records belonging to millions of Americans were also recently found available online and unprotected from abuse by anyone with basic computer skills. This discovery came from Greenbone Networks, a German security provider that identified security issues across 52 different countries. NNT is the sole North American reseller of Greenbone, to learn more, visit our website.

 

 

 

NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.