In early August, the enterprise security firm Armis got a confusing call from a hospital that uses the company’s security monitoring platform. One of its infusion pumps contained a type of networking vulnerability that the researchers had discovered in a few weeks prior. But that vulnerability had been found in an operating system called VxWorks—which the infusion pump didn’t run.
Hospital representatives wondered if it was just a false positive. But as Armis researchers investigated, they started to see troubling signs of a connection between VxWorks and the infusion pump’s operating system. What they ultimately discovered has disturbing implications for the security of countless critical systems—patient monitors, routers, security cameras, and more—across dozens of manufacturers.
Today Armis, the Department of Homeland Security, the Food and Drug Administration, and a broad swath of so-called real-time operating system and device companies disclosed that Urgent/11, a suite of network protocol bugs, exist in far more platforms than originally believed. The RTO systems are used in the always-on devices common to the industrial control or health care industries. And while they’re distinct platforms, many of them incorporate the same decades-old networking code that leaves them vulnerable to denial of service attacks or even full takeovers. There are at least seven affected operating systems that run in countless IoT devices across the industry.
“It’s a mess and it illustrates the problem of unmanaged embedded devices,” says Ben Seri, vice president of research at Armis. “The amount of code changes that have happened in these 15 years are enormous, but the vulnerabilities are the only thing that has remained the same. That’s the challenge.”
The bugs endured for so long because they all trace back to the same popular early-aughts implementation of network protocols that make up the “TCP/IP stack,” allowing devices to connect to networks like the internet. The Swedish software firm Interpeak created a version of this stack called IPnet that it licensed to an array of customers, including numerous real-time operating system developers. Then in 2006, Wind River, the developer of VxWorks, acquired Interpeak and absorbed IPnet. Once Wind River acquired Interpeak and dissolved the company there was no more support for IPnet licenses, so whatever bugs were already there lived on, unbeknownst to Wind River or Interpeak’s old customers.
That’s why the infusion pump, made by the medical device manufacturer Becton Dickinson Alaris, had Urgent/11 bugs despite not running VxWorks. Instead, it uses a real-time platform called Operating System Embedded by the Swedish IT company ENEA—which also incorporates IPnet. In its original July Urgent/11 security advisory, Wind River noted the possibility that other operating systems and devices might be vulnerable as well, because of IPnet’s distribution prior to 2006.
“As a strong proponent for responsible disclosure practices, Wind River believes it is critically important with matters like Urgent/11 that the extent of industry impact is determined and disclosed as soon as possible,” Arlen Baker, Wind River chief security architect, told WIRED in a statement.
The timing of the hospital alert was auspicious; the researchers were already in Las Vegas for a hacking conference. To validate their theory, the Armis researchers met with BD Alaris representatives at Defcon’s Biohacking Village, a setting where hackers, manufacturers, and regulators work together to solve industry security issues. There, they tested a potentially vulnerable infusion pump at the Defcon Biohacking Village, and confirmed the presence of some of the IPnet vulnerabilities.
“Our approach was to encourage trust and collaboration in the Biohacking Village,” says Beau Woods, a cybersafety innovation fellow at the Atlantic Council and an organizer of the Medical Device Village. “That created the conditions for device manufacturers to make their equipment available, for researchers to test for vulnerabilities safely, and for FDA to help with disclosure to preserve patient safety and public trust.”