Researchers Warn Of Software Flaws With Medical Devices

Researchers in the US have issued a warning about the software used in medical devices and machinery, which is vulnerable to exploitation.

The flaws uncovered by cybersecurity firms Forescout Technologies and Medigate are deemed so serious, that if they are exploited, they could cause critical equipment such as patient monitors or anaesthesia machines to crash.

This is not the first time that there has been warnings about the threat to medical equipment from hackers.

Previous vulnerabilities

In 2012 researchers from McAfee showed they could take control of insulin pumps implanted inside diabetes patients. Scientists at the University of Massachusetts also showed that they can use radio attacks to turn off defibrillators inside heart patients.

Then in 2015 two researchers found that commonly used medical equipment, such as MRI machines, infusion systems, and pacemakers were vulnerable to cyberattack.

And in 2017 a researcher found more than 8,000 known vulnerabilities in the code inside pacemakers. The revelation came from researcher Billy Rios and Dr Jonathan Butts from security company Whitescope. Their study also found that hackers can easily purchase ‘pacemaker programmers’ from online auction websites.

In 2018 medical devices made by New Jersey-based Becton, Dickinson and Company (BD) were discovered to be vulnerable to a class of Wi-Fi security flaws, with the firm saying the bug could allow hackers to gain access to hospital networks.

And then Apple this year warned people about the issue of magnets in iPhones and keeping them away from implanted magnetic devices.

The iPhone 12 and 13 has MagSafe technology, and Apple warned users that iPhones contain magnets and radios that emit electromagnetic fields, both of which ‘may interfere’ with medical devices such as implanted pacemakers and defibrillators.

Fresh medical warning

And now the new warning from Forescout Technologies and Medigate, and reported on by CNN, reveals that nearly 4,000 devices made by a range of vendors in the healthcare, government and retail sectors are running vulnerable software.

The good news there is no evidence that malicious hackers have taken advantage of the software flaws – and doing so would require prior access to networks in some cases, Forescout reportedly said.

Siemens, which owns the software, has issued updates fixing the vulnerabilities.

The German firm worked with federal officials and the researchers to verify and address the vulnerabilities through software updates.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is expected to issue an advisory Tuesday encouraging users to update their systems in response to the report, according to researchers.

After learning of the vulnerabilities, “We began working with our partners across all potentially affected critical infrastructure sectors, including in the health care sector, to inform potentially at-risk vendors of this vulnerability and provide guidance on remediating it,” CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman said in a statement to CNN.

The vulnerabilities affect versions of the Nucleus Real-time Operating System, a suite of software owned by Siemens that manages data across critical networks.