October 25, 2019
|
3 minutes

Urgent/11 – What Happened?

Learn what devices are vulnerable regarding the 11 vulnerabilities discovered in VxWorks, as well as how these attacks occur, and what you need to consider.

URGENT/11 is a group of vulnerabilities discovered in July 2019, which pertains to 11 zero-day vulnerabilities. These vulnerabilities could exploit VxWorks RTOS (Real-Time Operating System), which is currently used in over 2 billion critical, industrial, enterprise, and medical devices. Any IPnet version of VxWorks dating back 16 years is at risk of these 11 vulnerabilities. These vulnerabilities allow hackers to gain access to a network without resorting to traditional means, and user interaction is no longer necessary. Firewalls and NAT solutions have no success stopping attackers when the 11 VxWorks vulnerabilities are taken advantage of. The VxWorks TCP/IP Stack (IPnet) has been deemed the source of these 11 vulnerabilities. The 11 traits identified in this TCP/IP Stack (IPnet) can be taken advantage of to penetrate malware into networks.  

What's vulnerable?

Although the FDA stated that the Urgent/11 vulnerabilities could impact more medical devices, we have a small list of devices (including medical devices) that are undoubtedly vulnerable:

  • Imaging systems
  • Infusion pumps
  • Anesthesia machines
  • SCADA
  • Industrial controllers
  • Patient monitors
  • MRI machines
  • Firewalls
  • VOIP phones
  • Printers

As this list describes both medical and non-medical devices that are impacted due to the 11 vulnerabilities of VxWorks, we know that these are not the only devices affected. Sensato and the FDA strongly urged our clients and partners to immediately report suspected problems within any of your medical devices running VxWorks to the MedWatch Voluntary Reporting Form. Devices that are reaching outbound to the internet are not immune to these vulnerabilities; they are equally as likely to be attacked compared to devices running on your network.

How do attacks occur?

Since firewalls are vulnerable under impacted versions of VxWorks, they are not going to be capable of stopping intruders. An attacker can likely create a particular TCP packet that allows them to bypass the firewall and take over the entire network. Once this occurs, every single medical and non-medical device running on this network are now extremely vulnerable to attacks. An attacker only needs to bypass the firewall one time before it is possible for them to take over every single device on the network. Here is an example of such an attack: If a hospital uses a printer that is connected to cloud printing services, a hacker can add a small change to the TCP connection and hijack the printer, regardless of the printer being behind NAT solutions and a firewall. Due to the nature of Urgent/11 vulnerabilities, this would go completely unnoticed using traditional cybersecurity tools and practices. Although the idea of a hacker taking over your hospital's printer is not exactly life-threatening, once the attacker has access to your printer, every other device on that network running VxWorks is now extremely vulnerable. Patient monitors, MRI machines, imaging systems, and many other devices are now at risk of tampering. If a patient monitor is targeted, attackers will be able to read all patient data quickly and even go as far as changing the data displayed on the screen. They can make it seem as if a living and healthy patient no longer has a heartbeat or blood pressure.

What this means to you

Traditional cybersecurity practices and tactics are no match for attackers exploiting the 11 vulnerabilities on impacted versions of VxWorks. Luckily for the healthcare industry, Sensato goes beyond traditional cybersecurity practices and tactics. When the FDA approached Sensato, we knew this would be an immense opportunity and responsibility to assist in providing guidance. As a firm focused on healthcare and our Memorandum of Understanding with the FDA, Sensato took this emerging threat seriously and quickly supported the communication efforts with educational events.

The Urgent/11 weaknesses are not something that you can take lightly or brush off to the side. These vulnerabilities are not something that can impact your network a year from now or five years from now. These vulnerabilities can be exploited today, yesterday, and tomorrow. Taking advantage of Sensato Nightingale™ and Sensato Cybersecurity Tactical Operation Center (CTOC), our clients are aware of breaking vulnerabilities such as Urgent/11 far before the information may reach the public. By the time Urgent/11 vulnerabilities were spreading around the internet, Sensato had already completed the counseling and consulting for our clients, keeping them out of harm's way. We strongly urge you to reach out to us at info@sensato.co or call us at 844.736.7286 for help with detecting impacted versions of VxWorks in your organization's network.

Medical Device Security—What You Need to Know
Cybersecurity Threats Continue to Find Vulnerabilities in Healthcare
Staying Ahead as Cyberattacks Evolve
Is it possible to outpace and outsmart cyberattackers? It depends on your tech…(Hint: take a page from the attackers).
2019 Cybersecurity Guide: Aligning Threat Preparedness with Threat Landscape
Are you ready for 2019? You can bet that attackers are! Here are best practices for the emerging threat landscape in the New Year.