An obscure operating system’s flaws puts millions of devices at risk

Millions of devices could be at risk thanks to a little-known, yet widely used operating system called VxWorks. VxWorks OS was recently discovered to have multiple vulnerabilities in the platform’s networking protocols.

First released in 1987, VxWorks is the most popular real-time operating system (RTOS) and is designed for consistently running devices. An RTOS can process and relay near real-time data, usually without delays, making it a consistent choice for a slew of industries and applications, including aerospace and defense, medical devices, industrial equipment, transportation, network infrastructure, and consumer electronics.

VxWorks runs on an estimated 2 billion devices and its customers include Airbus, Boeing, Cisco, Mitsubishi, NASA, Samsung, and Xerox, to name a few. Sirona Dental used VxWorks in its CEREC extraoral 2D-3D X-ray devices before being acquired by Dentsply in 2015.

Finding the issue

In the tech and cybersecurity industry, vulnerabilities are flaws found in software programs or operating systems, which can be the result of improper computer or security configurations and programming errors, according to Norton Security. Vulnerabilities create security holes that cybercriminals can exploit. Specifically, when the vulnerabilities were found in VxWorks, they were called “zero-day” vulnerabilities-in tech-speak, this means a risk is so severe that a cyberattack could be executed before the vender has even had time to react to the risk; there are “zero days” to fix the vulnerability, according to Norton.

Cybersecurity firm Armis received a strange call in August 2019 from their client-a hospital-after noticing that an infusion pump was malfunctioning, according to Wired. Armis had found that same vulnerability weeks earlier in devices running the VxWorks OS, which, according to the device’s manufacturer, Becton Dickinson, the infusion pump did not run.

Confused, Armis dug deeper into the issue. What they eventually discovered was that VxWorks has 11 vulnerabilities-and a much farther reach than originally thought.

Continue reading on the next page...

Breaking down URGENT/11

Called URGENT/11, these 11 vulnerabilities were found in IPnet, VxWorks’ TCP/IP stack, or communication protocols, and are a rare example of vulnerabilities affecting this particular OS, Armis says.

Armis classified six of these vulnerabilities as critical and states they enable Remote Code Execution. This type of vulnerability is a “holy grail” for attackers because a hack can be carried out from a remote location, without the need of a bugged USB stick or opening a malicious document.

“The biggest vulnerability out there is that they basically allow for what's called Remote Code Execution, which more or less means that a hacker, who could be in another country thousands of miles away, can get on to the system and control it as if they were one of the users that's already on the system,” says Dr. Lorne Lavine, founder and president of The Digital Dentist.
The other five vulnerabilities were classified as denial of service, information leaks, or logical flaws.

“These devastating traits make these vulnerabilities ‘wormable,’ meaning they can be used to propagate malware into and within networks,” Armis says.

Three attack scenarios are enabled by URGENT/11 depending on the location of the device, per Armis:

• Any impacted VxWorks device stationed at the perimeter of the network and is directly exposed to the internet, such as firewalls, modems, and routers. An attacker can directly attack such devices from the internet, compromise them, and then compromise the networks they guard.
   

• Any impacted VxWorks device stationed behind the perimeter, inside an internal network, that connects outbound to the internet through a firewall. URGENT/11 can allow an attacker to take over such devices by intercepting and manipulating communications they create with the internet, then send those communications back through the firewall.
   

• An attacker already positioned within the network as a result of a previous attack can send a specially crafted IP broadcast packet that will hit vulnerable VxWorks devices within the local LAN at once. This also can be an RCE vulnerability, which can lead to a remote takeover.

“I think nobody's really paying attention to this anymore,” adds Dr. John Flucke, Dental Products Report’s technology editor and dentistry’s Technology Evangelist. “I'm not even sure that the companies that make stuff for dental offices are paying that much attention to it. If somebody with malicious intent were to just turn it off anything that's got an internet connection that's used for dentistry, that could be disastrous.”

Continue reading on the next page...

What’s affected?

Affected medical devices could include MRI machines, blood pressure machines, infusion pumps, and patient monitors. Office equipment such as Voice Over Internet Protocol (VOIP) phones, printers, firewalls, and routers and modems may also be included, according to Dr. Lavine.

URGENT/11 could affect about 200 million individual known-devices, according to Wired. This flaw has been present in most versions of VxWorks since at least 2006. The result could be anything from machine malfunction to complete system takeover.

Basically any device that can connect to the internet uses an operating system, Dr. Lavine says.

“Anything more advanced than a toaster has an operating system,” he says. “It's software that tells the hardware how to interact with the environment.”

VxWorks’ current distributor Wind River and Armis state that the URGENT/11 vulnerabilities affect VxWorks version since 6.5, but not the version of the product designed for safety certification-VxWorks 653 and VxWorks Cert Edition, which are used by specific infrastructure industries such as transportation.

While none of the devices that are known to be affected are used specifically for dentistry, that doesn’t mean dental practices are immune to the flaw. Simple office equipment such as phones and printers could be at risk. What’s scarier, according to Dr. Flucke, is that the reach of URGENT/11 is still unknown.

“This is one of those things that I think probably as time goes on, we will begin to see more and more and more,” Dr. Flucke says. “There are people that are concerned people can hack Boeing airliners in flight, people could potentially change the parameters of infusion pumps that are connected to patients, and could change dosage rates or cause it not to function. This is a worst-case scenario. What happens if somebody gets a hold of the keys to this thing and flips the switch? It could very well be embedded in all kinds of things that we're not even aware of yet,” he says.

Ransomware, where data is kept locked until a ransom is paid to the attackers, could be a by-product of such vulnerabilities, Dr. Flucke adds. Patient information and other practice data are at risk in this scenario.

Continue reading on the next page...

Why did it take so long to find?

Another surprising piece of this puzzle is how long the vulnerabilities have been a part of VxWorks. URGENT/11 went virtually undetected for 13 years until it was discovered last year. The issue can be traced back to 2006 when Wind River acquired a Swedish company called Interpeak, Dr. Flucke says.

“Interpeak created this program for internet communications called IPnet,” Dr. Flucke says. “They sold this code to lots of other companies to use in other machines. And then the Swedish firm was purchased by a company called Wind River. Wind River purchased this company that made this other product and they just kind of rolled [the product] into their company.”

What no one realized, however, was that this little piece of problematic code was put into many other devices, Flucke says.

Interpeak distributed the use of their IPnet software components to other vendors, therefore the security risk likely originated earlier than 2006. Because some manufacturers have a license agreement that allows them to use the IPnet software, the software has been incorporated into other applications, equipment, and systems that are still used today, the FDA says.

This is how the infusion pump from Becton Dickinson was affected. It wasn’t running the VxWorks OS, but it was using the IPnet code, according to Wired.

“It got put into satellite dishes, it got put into medical devices, got put into all kinds of things, like elevator controllers, and all this kind of stuff,” Dr. Flucke explains. “It was just one small piece of a huge program. And people are like, 'Oh, that's the code-copy and paste.’ This vulnerability is just copied and pasted, copied and pasted, copied and pasted.”

At least three of the vulnerabilities in URGENT/11 were present when the IPnet software was acquired, according to Wind River.

Device manufacturers and security experts are aware that some of the following operating systems are affected, according to the FDA:

• VxWorks (by Wind River)

• Operating System Embedded (OSE) (by ENEA)

• INTEGRITY (by Green Hills)

• ThreadX (by Microsoft)

• ITRON (by TRON Forum)

• ZebOS (by IP Infusion)

However, it’s important to note that URGENT/11 may not affect every version of the above OS, per the FDA.

“Not all vulnerabilities apply to all impacted versions. To date, there is no indication the Urgent/11 vulnerabilities have been exploited in the wild," Wind River said in a statement. "Those impacted make up a small subset of our customer base, and primarily include enterprise devices located at the perimeter of organizational networks that are internet-facing such as modems, routers, and printers, as well as some industrial and medical devices. Organizations deploying devices with VxWorks should patch impacted devices immediately,” the company said.

Continue reading on the next page...

Mitigating the damage

There have been no confirmed adverse events due to URGENT/11, according to the FDA, but the software to exploit these vulnerabilities is already available to would-be attackers.

Wind River and Armis have been working together to develop a patch for URGENT/11 to limit the damage. Manufacturers are being notified of the issue as well. The problem is that, with many of these devices, it’s difficult to fix these vulnerabilities on stand-alone equipment, Dr. Flucke says.

“Your computers, and your phone-as we all know-get an ‘update is available’ alert, then you have to install this update,” he says. “But a lot of these devices that are affected by this VxWorks flaw don't have built into them anyway to update the code. These kind of things, nobody can just sit down and say, 'Oh, we'll just fix this and then push it out.' Because none of these devices have the ability to connect, download, update, and fix itself.”
The most important thing for practices is diligence, Dr. Lavine says.
 

Company

Industry

Alcatel-Lucent

Telecommunications Equipment

Avaya

Business Communications

Becton-Dickinson

Medical Technology Manufacturer

Dräger

Medical Device Manufacturer

Extreme Networks

Network Development and Manufacturer

GE Healthcare

Medical Imaging Manufacturer & Distributor

Honeywell

Commercial, Consumer, & Aerospace Engineer

NetApp

Data Management

Philips

Health Technology

Schneider Electric

Electrical Equipment

SonicWall

Internet Security

Spacelabs

Medical Device Manufacturer

Trend Micro

Internet Security

Xerox

Print Products & Services

Xylem

Commerical & Industrial Water

“There are so many things that a practice can do,” he says. “There's this principle called the ‘principle of least privilege.’ And basically what that means is that you set up users to do the least amount of access they need to be able to do the job. But nothing beyond that-you don't get them, for example, administrative rights. The thought being that, with these types of remote code executions, the only thing the remote user can do is get on to the hardware and basically do the things that the logged-in user at that time can do. But if you set it up that that user really can't do all that much other than, you know, run tests or whatever, then you're certainly going to limit the damage that can be done.”

It’s important to understand what operating systems are running on your devices, he adds. This information can usually be found on the manufacturers’ website. Plus, keeping those operating systems up to date is key. Dr. Lavine suggested setting up a reminder once per quarter to check for such software updates.

If a device is found to be affected, it’s crucial to follow up with the manufacturer on any solutions. Otherwise, it may be wise to replace the device, Dr. Flucke says.

“The other thing, too, dentists need to make sure in their offices that they have a good firewall between themselves and the outside part of the internet,” he adds. “Good hardware firewall now is just as important as having good antivirus.”

Norton suggests following this checklist to protect yourself from associated security risks:

• Keep software and security patches up to date by downloading the latest software releases and updates. Installing security patches fixes bugs that the previous version may have missed.

• Establish safe and effective personal online security habits.

• Configure security settings for your operating system, internet browser, and security software.

• Install proactive and comprehensive security software to help block known and unknown threats to vulnerabilities.

Individual manufacturers have put out their own security warnings and patches, if applicable. Refer to Table 1 for examples and links. Armis has updates available on their website. If you believe a device in your practice is at risk, Armis has also developed a free downloadable tool designed to detect URGENT/11 vulnerabilities.