(Bloomberg) -- U.S. government officials on Tuesday issued a warning about cybersecurity vulnerabilities in operating systems that power a variety of medical devices.
Computer security researchers discovered 11 vulnerabilities that could allow a hacker to take control of medical devices, the U.S. Food and Drug Administration warned in an “urgent” advisory along with the Department of Homeland Security.
“These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function,” the FDA’s advisory states.
The flaw rests within software called IPNet, developed by Swedish software company Interpeak AB, which is owned by Wind River Systems Inc. The company licenses this software to real-time operating system developers, and those systems power a range of medical devices. IPNet is highly technical software that facilities that transfer of data between computers and the internet.
In a statement, Wind River said it is a “strong proponent of responsible disclosure practices” and that it was important that “the extent of industry impact is determined and disclosed as soon as possible.”
Affected vendors include Microsoft Corp., Green Hills Software Ltd., and Enea AB, according to DHS. Microsoft told federal authorities that its product, ThreadX, no longer includes the IPNet framework, but that earlier versions of the software released prior to Microsoft’s acquisition of ThreadX earlier this year may contain the affected software.
“We’ve investigated these reports and confirmed that these vulnerabilities do not impact any ThreadX release,” a Microsoft spokeswoman said via email.
According to an April statement announcing Microsoft’s purchase of Express Logic, the original developer of ThreadX, the real-time operating system is used in 6.2 billion devices, including more than 12 million medical devices.
The FDA advisory states that some medical-device manufacturers are addressing and remediating the flaws found in IPNet software. DHS is advising customers of IPNet to contact the developer for information on how to fix the flaws.
(Updates with Microsoft statement in seventh paragraph)
To contact the reporter on this story: William Turton in New York at firstname.lastname@example.org
To contact the editors responsible for this story: Andrew Martin at email@example.com, Jillian Ward
For more articles like this, please visit us at bloomberg.com
©2019 Bloomberg L.P.