Urgent/11 vulnerabilities threaten healthcare devices, routers and more

(Image credit: TheDigitalArtist / Pixabay)

Warnings have been issued over potential exploits that could be leveraged against a reportedly wide range of platforms, including healthcare devices, and the likes of security cameras, routers, industrial systems and more.

As Wired reports, this is all down to a suite of network protocol bugs known as Urgent/11, and these flaws are present in contemporary devices thanks to the incorporation of decades-old networking code in modern platforms.

Over in the US, the Department of Homeland Security (specifically the Cybersecurity and Infrastructure Security Agency, or CISA) and FDA are issuing stringent warnings over Urgent/11, along with Armis, a security firm.

Back in the summer, Armis discovered a networking vulnerability found in an OS called VxWorks – and was confused when a few weeks later, a hospital reported that an infusion pump suffered from the bug, even though that piece of medical equipment didn’t use VxWorks.

In fact, the infusion pump operated with a real-time platform called Operating System Embedded, which incorporates IPnet – the latter of which carries the security flaw. It can all be traced back to a Swedish software firm, Interpeak, which created IPnet, a version of the TCP/IP stack.

As CISA explains: “CISA is aware of a public report detailing vulnerabilities found in the Interpeak IPnet TCP/IP stack. The Interpeak IPnet stack vulnerabilities were first reported under ICSA-19-211-01 Wind River VxWorks.

“These vulnerabilities have expanded beyond the affected VxWorks systems and affect additional real-time operating systems (RTOS). CISA has reached out to affected vendors of the report and asked them to confirm the vulnerabilities and identify mitigations.”

CISA further notes that it’s issuing the warning to give folks an early notice of these vulnerabilities and to begin to develop mitigations for reducing the risk of these exploits being leveraged successfully.

Wide-ranging issues

The problem is that there could be a lot of devices out there which are potentially vulnerable, including medical tech hardware as we mentioned at the outset. Indeed, Wired notes that there are seven affected operating systems – and quite possibly more – which are collectively present in a huge amount of various Internet of Things devices across the globe.

Ben Seri, vice president of research at Armis, told Wired: “It’s a mess and it illustrates the problem of unmanaged embedded devices. The amount of code changes that have happened in these 15 years are enormous, but the vulnerabilities are the only thing that has remained the same. That’s the challenge.”

Researchers testing for vulnerabilities have found issues not just with the aforementioned infusion pump – a BD Alaris PC Unit infusion pump, to be precise – but also with patient monitors, as well as routers, printers, cameras and mesh Wi-Fi access points.

BD Alaris, incidentally, confirmed that an attacker would have to target individual pumps one at a time – it’s not possible to hit multiple devices – and even if any attempt to exploit was successful, it wouldn’t be possible to interrupt an infusion which was underway at the time. The hacker could, however, force the medical professional using the pump to reboot it before starting a new infusion.

While the damage that can be done in this particular case is limited, then, it’s not difficult to imagine that there may be more havoc a hacker could potentially wreak with other devices.

And part of the problem right now seems to be the degree of uncertainty about how widespread this issue is, and how dangerous it might be to any given device which is affected.

Andrea Carcano, co-founder and CPO at Nozomi Networks, observed: “Hackers may not be currently exploiting these vulnerabilities to target patients. However, if the Urgent/11 vulnerabilities within the affected healthcare systems are exploited, the risk to patients could be immense. The vulnerabilities allow a hacker to take over a medical device or hospital network and steal information.

“Manufacturers and healthcare providers need to remain vigilant, monitoring and assessing any cybersecurity risks posed by medical infrastructure, and proactively disclosing and mitigating vulnerabilities. The FDA has taken the first step in making sure that manufacturers, patients, health care professionals and IT staff are aware and proactively protecting infrastructure from cyber threats.”

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).