URGENT/11 Vulnerabilities: Taking ActionResearcher Ben Seri of Armis Describes the Risks and Mitigation Action Items
Healthcare organizations can take steps to start mitigating risks while waiting for vendors to issue software patches to address URGENT/11 IPnet vulnerabilities in medical devices, says researcher Ben Seri of the security firm Armis, which identified the flaws.
The problems exist in IPnet, a third-party software component that supports network communications and is embedded into a variety of legacy medical and industrial devices that are still in use today, despite the software, in many cases, being no longer supported by the original vendors (see FDA Issues Alert on Medical Device IPnet Vulnerabilities).
The collection of URGENT/11 vulnerabilities was first identified by Armis researchers in July as affecting some versions of the real-time operating system VxWorks by Wind River.
But on Oct. 1, the FDA issued its alert, and the DHS updated an earlier advisory after Armis researchers identified six additional real-time operating systems supporting the IPnet TCP/IP stack that are also potentially impacted by the URGENT/11 vulnerabilities.
Exploitation of the vulnerabilities could lead to remote code execution and allow an attacker to take over a whole device without interacting with the user, posing potential harm to patients if a medical device subsequently malfunctions.
"It will take time until patches are available in a wide manner," Seri says in an interview with Information Security Media Group. "You might have a device that's running all sorts of code and you don't have visibility into what it's running or [have] a security agent."
While awaiting patches from vendors, Seri says, "what we think is the best solution for medical devices and any [other affected] devices is ... traffic analysis that will monitor any use of these devices," helping to identify which devices are running any of the real-time operating systems impacted by the URGENT/11 vulnerabilities, he says.
Also, behavioral analysis can help determine "whether a device is acting as it usually acts or is doing something it is not meant to be doing," he adds.
In the interview (see audio link below photo), Seri also discusses:
- The potentially serious risks posed to medical devices and other products containing the URGENT/11 vulnerabilities;
- Why so many devices are potentially impacted by the vulnerabilities;
- Why healthcare organizations worldwide need to be prepared to mitigate the risks.
As head of research at security firm Armis, Seri is responsible for vulnerability research and reverse engineering. His main interest is exploring the uncharted territories of a variety of wireless protocols to detect unknown anomalies. Previously, Seri spent almost a decade in Israel's IDF Intelligence as a researcher and security engineer.