PALO ALTO, Calif., Oct. 1, 2019 /PRNewswire/ — Armis, the leading enterprise IoT security company, announced today the discovery that URGENT/11 impacts devices using six additional Real Time Operating Systems (RTOS) that supported IPnet TCP/IP stack, including OSE by ENEA, Integrity by Green Hills, ThreadX by Microsoft, Nucleus RTOS by Mentor, ITRON by TRON Forum, and ZebOS by IP Infusion. This new discovery expands the reach of URGENT/11 to potentially millions of additional medical, industrial and enterprise devices.
Armis confirmed the expanded exposure after being contacted by a hospital, which was using the Armis security platform. Through Armis, the hospital identified an infusion pump impacted by URGENT/11, which was not running VxWorks, but OSE by ENEA. The device was a BD Alaris infusion pump (BD Alaris™ PC Unit). Armis worked with BD to confirm the Alaris infusion pump was impacted. Infusion pumps play a critical role in hospitals delivering fluids, medications, blood and blood products.
“The key takeaway from the BD Alaris discovery is that the URGENT/11 vulnerabilities have a much wider impact than first believed,” said Ben Seri, vice president of research & head of Armis Labs. “While we considered the possibility of operating systems other than VxWorks being affected, which we referenced in our original disclosure, the BD Alaris pump provided confirmation of the complexity and broader reach of these vulnerabilities.”
As a part of a coordinated vulnerability disclosure process, FDA, DHS, and manufacturers are releasing communications to make public health stakeholders aware of these vulnerabilities and actions that they can take to mitigate risk. To the best of all organizations’ knowledge, there is no indication the URGENT/11 vulnerabilities have been exploited in the wild.
This announcement is a follow-up to the original URGENT/11 disclosure announcement on July 29, 2019, that prompted a multi-industry effort to address the critical vulnerabilities that were discovered. More than 30 vendors have issued security advisories on URGENT/11, including leading medical manufacturers such as GE Healthcare, Philips , Drager, and now BD . At the Black Hat conference this past August, Armis researchers demonstrated the critical impact of URGENT/11 on medical devices, by taking over the Xprezzon hospital bedside patient monitor by Spacelabs. Today, Spacelabs has released its advisory and updates as well. The FDA and DHS has also issued communications encouraging device manufacturers to take immediate action to determine if they are impacted and take the necessary actions.
The healthcare and manufacturing sectors are primary users of RTOSs for their devices. These devices undergo a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use, which is why they are especially prone to vulnerabilities in legacy code. Since the July 2019 announcement, Armis has been able to validate the impact of the additional RTOSs mentioned above which use IPnet, by analyzing various devices based on each OS that were also found vulnerable to URGENT/11:
Only devices running IPnet on these RTOSs would be impacted (e.g. does not impact Green Hills using GHNet TCP/IP stack).
Updates and Mitigations
Additional information:
About Armis
Armis is the leading agentless, enterprise-class security platform to address the new threat landscape of unmanaged and IoT devices. Fortune 1000 companies trust our unique out-of-band sensing technology to discover and analyze all managed, unmanaged, un-agentable and IoT devices—from traditional devices like laptops and smartphones to new unmanaged smart devices like smart TVs, webcams, printers, HVAC systems, industrial control systems, medical devices and more. Armis discovers devices on and off the network, continuously analyzes endpoint behavior to identify risks and attacks, and protects critical information and systems by identifying suspicious or malicious devices and quarantining them. Headquartered in Palo Alto, California, Armis is a privately held company. Follow us on Twitter, LinkedIn and Facebook.
Press Contacts:
Susan Torrey
Corporate Communications at Armis
susan.torrey@armis.com
650-492-1921
Katie Garagozzo for Armis
Bateman Group
armis@bateman-group.com
415-503-1818
View original content to download multimedia:http://www.prnewswire.com/news-releases/armis-discovers-expanded-reach-of-urgent11-that-highlights-risk-to-medical-devices-300928851.html
SOURCE Armis
Charlotte, North Carolina--(Newsfile Corp. - December 23, 2024) - cbdMD, Inc. (NYSE American: YCBD) (NYSE…
AUSTIN, TEXAS / ACCESSWIRE / December 23, 2024 / Interactive Strength Inc. (Nasdaq:TRNR) ("TRNR" or…
Originally published in Quest Diagnostics' 2023 Corporate Responsibility ReportNORTHAMPTON, MA / ACCESSWIRE / December 23,…
Marlborough, Massachusetts--(Newsfile Corp. - December 23, 2024) - Phio Pharmaceuticals Corp. (NASDAQ: PHIO), a clinical-stage…
WESTON, Fla.--(BUSINESS WIRE)--ILiAD Biotechnologies, LLC (ILiAD), a clinical stage biotech company developing the world’s most…
WESTON, Fla.--(BUSINESS WIRE)--ILiAD Biotechnologies, LLC (ILiAD), a clinical stage biotech company developing the world’s most…