IoT security company Armis has revealed more medical and manufacturing device vulnerabilities linked to its URGENT/11 disclosure at Black Hat. The details were released in a coordinated vulnerabilitiy disclosure from Armis, the FDA, DHS and BD Alaris, a manufacturer of medical devices. It also reveals six more Real-Time Operating Systems (RTOS) are affected. For some devices the vulnerabilities are so severe that they are considered unpatchable.
This latest disclosure comes after a hospital using the Armis security platform detected an URGENT/11 issue with a BD Alaris infusion pump. Further investigation showed that unlike devices covered by the URGENT/11 disclosure, this device was not running the VxWorks RTOS. Instead, it was running OSE by ENEA.
Ben Seri, vice president of research & head of Armis Labs said: “The key takeaway from the BD Alaris discovery is that the URGENT/11 vulnerabilities have a much wider impact than first believed.
“While we considered the possibility of operating systems other than VxWorks being affected, which we referenced in our original disclosure, the BD Alaris pump provided confirmation of the complexity and broader reach of these vulnerabilities.”
This expansion of URGENT/11 to now include seven major RTOS is a now major concern.
Who is affected?
This latest announcement expands the URGENT/11 announcement to include six more RTOS manufacturers. In addition to VxWorks, those affected now includes:
- OSE by ENEA
- Integrity by Green Hills
- ThreadX by Microsoft
- Nucleus RTOS by Mentor
- ITRON by TRON Forum
- ZebOS by IP Infusion
This is no longer a case of healthcare providers and manufacturers being able to plan updates to a limited set of equipment. It now covers millions of devices. For healthcare providers some of these devices are essential to patient care. Few healthcare providers have enough spare devices on hand to just withdraw all affected devices. More importantly, few have the ability to even detect all affected devices in their environment. It is also unclear from the various manufacturers as to how long it will take or how easy it will be to apply patches.
For manufacturers, this affects devices that could be deployed in their production environments. Like healthcare, they often lack visibility of their assets. This means that they need to start scanning their environments to understand the risk to the business.
Some devices can never be patched
If this wasn’t bad enough, Armis has also announced that some devices are unable to be patched. There are several reasons for this. The most common is that the manufacturer never anticipated the need to update the device. This has led Armis to state that some vulnerabilities are not zero-day but forever-day.
What this means for anyone finding such devices is that they need to put in place serious mitigation processes. This will not be easy. Where devices can be isolated, disconnected from networks or replaced, users need to do so. Those devices where the risk cannot be mitigated using these approaches pose a significant challenge. It means that customers need to factor in replacing the devices.
Not a simple failure of testing
It is important that this issue is put in context. Devices going into healthcare in particular, undergo extensive testing. It can take years to get approval for devices to be used and several different parties have to sign off on safety. This issue means that there is a need for a wholesale review of how testing is carried out and what it means for legacy devices.
David Gray, Senior Manager – Cyber Security Operations, Incident Response, Operational Technology, NTT Limited commented: “The Artimis Urgent/11 vulnerability is the second vulnerability seen this year which has been undetected since its inception with the TCP/IP stack (Linux Double-Free bug being the first). This continues to show a worrying trend of new code being built upon existing to the extent that no one realizes it’s origin thus leading to vulnerabilities going undetected for decades.
“As with the Linux/Unix bug the Urgent/11 issue now crosses multiple platforms making it hard to identify if a system is vulnerable. Fortunately Artimis have released a tool to identify the vulnerable software and Snort signatures to pick up network traffic attempting to compromise the vulnerability. The response to this threat is commendable, but it is a worrying trend we are starting to see; is this the tip of the iceberg for decades old vulnerabilities?”
Enterprise Times: What does this mean
At present, the focus has been on healthcare and manufacturing. However, there are a number of critical industries that rely on IoT devices using RTOS. End user organisations need to start running tests across their asset estate urgently. It would not be a surprise to see regulators and safety organisations require evidence that organisations have carried out additional testing to understand their risk.
As Armis and its customers continue to test their environments, it is likely we will see a continual set of alerts over the next few months at the very least. Importantly, all the manufacturers affected have responded with patches and updates. In addition, the responsible disclosure process between Armis and manufacturers is working well. This should help give some confidence to end user organisations and their customers.
However, to echo Gray’s statement: “..is this the tip of the iceberg for decades old vulnerabilities?”