Nearly 4,000 devices made by a range of vendors in the health care, government and retail sectors are running the vulnerable software, according to cybersecurity firms Forescout Technologies and Medigate, which discovered the issue.
There is no evidence that malicious hackers have taken advantage of the software flaws — and doing so would require prior access to networks in some cases, Forescout said. Siemens, the industrial firm that owns the software, has issued updates fixing the vulnerabilities.
Siemens worked with federal officials and the researchers to verify and address the vulnerabilities through software updates.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is expected to issue an advisory Tuesday encouraging users to update their systems in response to the report, according to researchers.
“It is important for medical device manufacturers to have a mechanism to quickly ascertain if their devices are affected,” Dr. Kevin Fu, acting director of medical device cybersecurity at the FDA’s Center for Devices and Radiological Health, told CNN.
After learning of the vulnerabilities, “We began working with our partners across all potentially affected critical infrastructure sectors, including in the health care sector, to inform potentially at-risk vendors of this vulnerability and provide guidance on remediating it,” CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman said in a statement to CNN.
The vulnerabilities affect versions of the Nucleus Real-time Operating System, a suite of software owned by Siemens that manages data across critical networks.
Fu said the vulnerabilities could affect a range of medical devices, but that it depends on what version of the software is running and whether the device is connected to the internet. In addition to patient monitors, certain anesthesia, ultrasound and x-ray machines could be affected by the software flaw, according to the research.
Forescout researchers tested the software vulnerabilities in a lab. In one case, they sent malicious commands to a building automation system used in hospitals, taking it offline and cutting off the lights and HVAC system in a mock hospital room, according to the research report. (For that to work in practice, a hacker would either need to be on the local hospital network already or the building automation device would need to be exposed to the internet.)
Elisa Costante, vice president of research at Forescout Technologies, told CNN that her research team wanted to highlight how aging software used in key industries needs to be closely examined for security flaws.
“Our smart world relies on legacy software” that is often harder to maintain, Costante said.
“Today, I have no evidence of this being exploited [by hackers] yet in the wild,” she added. “But do we really need to wait for something major to happen rather than create the awareness [needed to address the vulnerabilities]?”