1. You are here:
  2. Homepage
  3. News & Insights Search
  4. Operating System Vulnerabilities in Many Medical Devices, Germany’s BfArM and Device Firms Warn

rf-fullcolor.png

 

Regulatory News
August 27, 2019
by Zachary Brennan

Operating System Vulnerabilities in Many Medical Devices, Germany’s BfArM and Device Firms Warn

Germany’s Federal Institute for Drugs and Medical Devices (BfArM) warned Tuesday of critical vulnerabilities in Wind River’s real-time operating system VxWorks, which is used in many medical devices, including MRI machines and patient monitors.

“Medical device manufacturers using this operating system must implement risk mitigation measures based on their updated risk analysis in light of this vulnerability,” BfArM said.

The warning comes as earlier this month, Armis Labs discovered 11 vulnerabilities in VxWorks, six of which are critical. The security firm also noted that the vulnerabilities are serious because attackers could take over devices with no user interaction and even bypass perimeter security.

“These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks,” Armis said.

Medical device companies including GE Healthcare, Philips, Siemens and Dräger have released their own warnings and security advisories, noting which of their systems are vulnerable.

Dräger, for instance, said its one of its systems to stabilize temperatures for neonates, known as Babyleo TN500, is affected by the vulnerabilities and will require a software patch. Philips said its HDI 3000 ultrasound system is vulnerable, too. And GE Healthcare said last week that it is actively assessing which of its products are impacted by the vulnerabilities.

“Since VxWorks is ordinarily used by the industrial and healthcare sectors, they are both put at an exceptionally severe risk by the URGENT/11 vulnerabilities,” Armis added. “This risk only intensifies considering the critical nature of VxWorks devices in such environments. A compromised industrial controller could shut down a factory, and a pwned [controlled] patient monitor could have a life-threatening effect.”

Wind River has been working to patch the vulnerabilities, but Armis warns that the process could take a long time.

Michael Parker, Armis’ chief marketing officer, told Wired: “It’s things like firewalls or robotic arms, or think about patient monitors and medical equipment. They have to basically create a whole new operating system and get FDA approval. You can’t just shut down a product line and do these updates.”

Armis

BfArM
Return to listing
×

Welcome to the new RAPS Digital Experience

We have completed our migration to a new platform and are pleased to introduce the updated site.

What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.

We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.

We welcome your feedback. Please let us know how we can continue to improve your experience.