Urgent/11 Zero-Days Exposes Risk For IoT Devices
By: Jim Stickley and Tina Davis
November 3, 2019
In this rapidly moving world of new technology, serious concerns have been raised about old and outdated technology that some very sensitive devices still depend on. An alarm was recently sounded by a hospital, saying a vulnerability in a networking system entirely prevented an infusion pump from working. Researchers discovered that not only were infusion pump operating systems in trouble, but so were patient monitors, various security cameras, routers, and much more. They also found the issue affected millions of devices across multiple manufacturers were at risk of malfunction using the VxWorks operating system. It’s a huge concern that now involves The Department of Homeland Security and the Food and Drug Administration (FDA). It was also discovered the technology we all use on the IoT (Internet of Things) at home and at work may also be at risk.
The problem lies with decades old networking code that was still being used to run devices, and that code was never updated over a span of years. As a result, security bugs in the VxWorks operating system were never fixed. It’s currently believed that at least seven operating systems are infected and are currently affecting countless devices in the medical industry. The vulnerabilities put devices at risk of denial of service attacks (DOS) and complete overtaking of devices is possible. Interpeak, a Swedish software company was purchased by Wind River in 2006, the original creators of VxWorks. Long story short, the many companies Interpeak sold a variant of VxWorks to were unknown by Wind River. As a result, all those operating systems never received the security bug fixes necessary to run those devices without fear of harm to patients using them. The Wind River chief security architect states “…Wind River believes it is critically important…the extent of industry impact is determined and disclosed as soon as possible.”
Unfortunately, there isn’t much to be done at this point other than keeping other supporting devices up to date or switching to a product that is support if it’s possible. In any case and for all devices, particularly with healthcare related devices designed to keep you healthy or alive, keep up with updates, read any important notifications from the manufacturers, and upgrade them when possible or when there is a serious issue with unsupported products.
In the meantime, the FDA is actively addressing the issue of old technology presenting new problems in healthcare. They are advocating a “software bill of materials” be used to outline device technology components in order to effectively address vulnerabilities when they appear. Other IoT devices are also at risk, including a Panasonic doorbell camera. Unfortunately, this finding illustrates the problem may extend far beyond healthcare and into the devices we use every day on the IoT. Everyone involved agrees it’s going to take time to clear old technology of their security bugs and move forward toward safety and standardization of device security measures. Awareness of security issues from the outset goes a long way toward preventing further problems with old technology.