U.S. Warns Cybersecurity Flaws Could Impact Medical Devices
(Bloomberg) -- U.S. government officials on Tuesday issued a warning about cybersecurity vulnerabilities in operating systems that power a variety of medical devices.
“These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function,” the FDA’s advisory states.
The flaw rests within software called IPNet, developed by Swedish software company Interpeak AB, which is owned by Wind River Systems Inc. The company licenses this software to real-time operating system developers, and those systems power a range of medical devices. IPNet is highly technical software that facilities that transfer of data between computers and the internet.
In a statement, Wind River said it is a “strong proponent of responsible disclosure practices” and that it was important that “the extent of industry impact is determined and disclosed as soon as possible.”
Affected vendors include Microsoft Corp., Green Hills Software Ltd., and Enea AB, according to DHS. Microsoft told federal authorities that its product, ThreadX, no longer includes the IPNet framework, but that earlier versions of the software released prior to Microsoft’s acquisition of ThreadX earlier this year may contain the affected software.
“We’ve investigated these reports and confirmed that these vulnerabilities do not impact any ThreadX release,” a Microsoft spokeswoman said via email.
According to an April statement announcing Microsoft’s purchase of Express Logic, the original developer of ThreadX, the real-time operating system is used in 6.2 billion devices, including more than 12 million medical devices.
The FDA advisory states that some medical-device manufacturers are addressing and remediating the flaws found in IPNet software. DHS is advising customers of IPNet to contact the developer for information on how to fix the flaws.
©2019 Bloomberg L.P.