URGENT/11 allows anyone to take control of a medical device.
Photo/Thumb have been modified. Courtesy of lucadp - stock.adobe.com.
The U.S. Food and Drug Administration (FDA) today informed patients, providers and developers that security researchers identified 11 vulnerabilities, dubbed “URGENT/11,” that allow anyone to remotely take control of a medical device. Once taken over, the unauthorized user may change the device’s function, cause denial of service or cause information leaks.
While the agency said it is not aware that the vulnerabilities have been exposed and taken advantage of, software to exploit the vulnerabilities is publicly available.
The vulnerabilities exist in IPnet, a third-party software component that supports communications between computers, the FDA reported. The IPnet software cannot be supported by the original vendor, but with a particular license, some developers can continue using it without support. If that is the case, the software can be added to other applications, equipment and systems which can be used in medical and industrial devices still being used.
IPNet could be affecting VxWorks by Wind River, ThreadX by Microsoft, ZebOS by IP Infusion, Operating System Embedded by ENEA, ITRON by TRON Forum and INTEGRITY by Green Hills. Many of these companies notified their customers about the vulnerabilities.
Along with recommendations for manufacturers and patients, the FDA provided a list of suggestions for healthcare providers and healthcare facility staff (IT teams).
Providers should inform patients who use medical devices that might be affected and remind those who use such devices to seek medical help immediately if they think their device function changed unexpectedly, the agency said.
Healthcare providers can also work with developers to identify if the devices in the facility or in use by patients are affected by these vulnerabilities. If they are, the agency suggested developing a risk mitigation plan.
IT teams can monitor network traffic and logs to see if an exploitation is taking place. Staff can also use firewalls, virtual private networks and other technologies to minimize exposure to URGENT/11.
Get the best insights in digital health directly to your inbox.