Cybersecurity Flaws Could Impact Medical Devices
U.S. government officials issued a warning about cybersecurity vulnerabilities in operating systems that power a variety of medical devices.
Computer security researchers discovered 11 vulnerabilities that could allow a hacker to take control of medical devices, the U.S. Food and Drug Administration warned in an “urgent” advisory along with the Department of Homeland Security.
“These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function,” the FDA’s advisory states.
The flaw rests within software called IPNet, developed by Swedish software company Interpeak AB, which is owned by Wind River Systems Inc. The company licenses this software to real-time operating system developers, and those systems power a range of medical devices. IPNet is highly technical software that facilities that transfer of data between computers and the internet.
In a statement, Wind River said it is a “strong proponent of responsible disclosure practices” and that it was important that “the extent of industry impact is determined and disclosed as soon as possible.”
Affected vendors include Microsoft Corp., Green Hills Software Ltd., and Enea AB, according to DHS. Microsoft told federal authorities that its product, ThreadX, no longer includes the IPNet framework, but that earlier versions of the software released prior to Microsoft’s acquisition of ThreadX earlier this year may contain the affected software.
“We’ve investigated these reports and confirmed that these vulnerabilities do not impact any ThreadX release,” a Microsoft spokeswoman said via email.
According to an April statement announcing Microsoft’s purchase of Express Logic, the original developer of ThreadX, the real-time operating system is used in 6.2 billion devices, including more than 12 million medical devices.