U.S. government officials issued a warning about cybersecurity vulnerabilities in operating systems that power a variety of medical devices.
Computer security researchers discovered 11 vulnerabilities that could allow a hacker to take control of medical devices, the U.S. Food and Drug Administration warned Oct. 1 in an “urgent” advisory along with the Department of Homeland Security.
“These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function,” the FDA’s advisory states.
The flaw rests within software called IPNet, developed by Swedish software company Interpeak AB, which is owned by
In a statement, Wind River said it is a “strong proponent of responsible disclosure practices” and that it was important that “the extent of industry impact is determined and disclosed as soon as possible.”
Affected vendors include Microsoft Corp., Green Hills Software Ltd., and Enea AB, according to DHS. Microsoft told federal authorities that its product, ThreadX, no longer includes the IPNet framework, but that earlier versions of the software released prior to Microsoft’s acquisition of ThreadX earlier this year may contain the affected software.
According to an April statement announcing Microsoft’s purchase of Express Logic, the original developer of ThreadX, the real-time operating system is used in 6.2 billion devices, including more than 12 million medical devices.
The FDA advisory states that some medical-device manufacturers are addressing and remediating the flaws found in IPNet software. DHS is advising customers of IPNet to contact the developer for information on how to fix the flaws.
To contact the reporter on this story:
To contact the editors responsible for this story:
© 2019 Bloomberg L.P. All rights reserved. Used with permission.