Nearly 4,000 devices made by a range of vendors in the health care, government and retail sectors are running the vulnerable software, according to cybersecurity firms Forescout Technologies and Medigate, which discovered the issue.
The vulnerabilities affect versions of the Nucleus Real-time Operating System, a suite of software owned by Siemens that manages data across critical networks.
Forescout researchers tested the software vulnerabilities in a lab. In one case, they sent malicious commands to a building automation system used in hospitals, taking it offline and cutting off the lights and HVAC system in a mock hospital room, according to the research report. (For that to work in practice, a hacker would either need to be on the local hospital network already or the building automation device would need to be exposed to the internet.)
Fu said the vulnerabilities could affect a range of medical devices, but that it depends on what version of the software is running and whether the device is connected to the internet. In addition to patient monitors, certain anesthesia, ultrasound and x-ray machines could be affected by the software flaw, according to the research.
Researchers claim to have discovered more than a dozen flaws in software used in medical devices and other industries that, if exploited by a hacker, may cause crucial equipment like patient monitoring to crash.The study, which was shared with CNN exclusively, highlights the difficulties hospitals and other facilities have had keeping sensitive software up to date while the resource-draining coronavirus pandemic persists. It’s also an example of how federal agencies and experts are collaborating more closely to examine cybersecurity problems that could jeopardise patient safety.
After learning of the vulnerabilities, “We began working with our partners across all potentially affected critical infrastructure sectors, including in the health care sector, to inform potentially at-risk vendors of this vulnerability and provide guidance on remediating it,” CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman said in a statement to CNN.
Elisa Costante, vice president of research at Forescout Technologies, told CNN that her research team wanted to highlight how aging software used in key industries needs to be closely examined for security flaws.
“Our smart world relies on legacy software” that is often harder to maintain, Costante said.
“Today, I have no evidence of this being exploited [by hackers] yet in the wild,” she added. “But do we really need to wait for something major to happen rather than create the awareness [needed to address the vulnerabilities]?” The FDA has invested more in cybersecurity in recent years in an effort to address how the digitization of patient care opens up risks to hacking. The agency in June 2019 advised patients to stop using a certain insulin pump after researchers showed how a hacker might alter the pump’s settings.