The U.S. Food and Drug Administration (FDA) issued a formal warning on Tuesday on vulnerabilities detected in decades-old software used in many of today's medical devices and hospital networks. 

The warning claims that 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications across computers. If these vulnerabilities are exploited, hackers are allowed to remotely control medical devices, change its functions, obstruct services, and trigger information leaks that could cause the devices to stop working. 

The creators of the original IPnet software, Interpeak, no longer support the software. However, there are manufacturers out there with a license without support, meaning it could be incorporated into other applications, equipment, and systems still being used in today's medical devices. 

The vulnerabilities discovered in the IPnet stack were originally found by IoT Security firm Armis back in July 2019, collectively known as URGENT/11. Consequently, over 30 vendors have issued security advisories about the vulnerabilities. 

Upon discovery, many thought the vulnerabilities only affected some versions of the operating system Wind River VxWorks, but the real impact is much greater because the IPnet software was licensed and used on multiple operating systems. 

The FDA warns that some versions of operating systems Integrity by Green Hills, ThreatX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component. 

So far, an imaging system, an infusion pump, and an anesthesia machine have been found with the impacted vulnerabilities, but the FDA warns that it expects additional medical devices to be identified that contain one or more of the vulnerabilities. 

All of IPnet's vulnerabilities have been identified as Zero-Day, meaning they've existed since the software's creation. 

This news comes on the heels of the new 45-page document Principles and Practices for Medical Device Cybersecurity, released this week by the International Medical Device Regulators Forum (IMDRF). The guidance was developed by the FDA and Health Canada and says about third-party components, "These components can create a risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices." The report added, "post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."

Health data and medical records belonging to millions of Americans were also recently found available online and unprotected from abuse by anyone with basic computer skills. This discovery came from Greenbone Networks, a German security provider that identified security issues across 52 different countries. NNT is the sole North American reseller of Greenbone, to learn more, visit our website.

 

 

 

The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2023, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.