Regulatory Focus™ > News Articles > 2019 > 8 > Operating System Vulnerabilities in Many Medical Devices, Germany’s BfArM and Device Firms Warn

Operating System Vulnerabilities in Many Medical Devices, Germany’s BfArM and Device Firms Warn

Posted 27 August 2019 | By Zachary Brennan 

Operating System Vulnerabilities in Many Medical Devices, Germany’s BfArM and Device Firms Warn

Germany’s Federal Institute for Drugs and Medical Devices (BfArM) warned Tuesday of critical vulnerabilities in Wind River’s real-time operating system VxWorks, which is used in many medical devices, including MRI machines and patient monitors.

“Medical device manufacturers using this operating system must implement risk mitigation measures based on their updated risk analysis in light of this vulnerability,” BfArM said.

The warning comes as earlier this month, Armis Labs discovered 11 vulnerabilities in VxWorks, six of which are critical. The security firm also noted that the vulnerabilities are serious because attackers could take over devices with no user interaction and even bypass perimeter security.

“These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks,” Armis said.

Medical device companies including GE Healthcare, Philips, Siemens and Dräger have released their own warnings and security advisories, noting which of their systems are vulnerable.

Dräger, for instance, said its one of its systems to stabilize temperatures for neonates, known as Babyleo TN500, is affected by the vulnerabilities and will require a software patch. Philips said its HDI 3000 ultrasound system is vulnerable, too. And GE Healthcare said last week that it is actively assessing which of its products are impacted by the vulnerabilities.

“Since VxWorks is ordinarily used by the industrial and healthcare sectors, they are both put at an exceptionally severe risk by the URGENT/11 vulnerabilities,” Armis added. “This risk only intensifies considering the critical nature of VxWorks devices in such environments. A compromised industrial controller could shut down a factory, and a pwned [controlled] patient monitor could have a life-threatening effect.”

Wind River has been working to patch the vulnerabilities, but Armis warns that the process could take a long time.

Michael Parker, Armis’ chief marketing officer, told Wired: “It’s things like firewalls or robotic arms, or think about patient monitors and medical equipment. They have to basically create a whole new operating system and get FDA approval. You can’t just shut down a product line and do these updates.”

Armis

BfArM

 

© 2021 Regulatory Affairs Professionals Society.

Regulatory Focus newsletters

All the biggest regulatory news and happenings.

Subscribe