The U.S. Federal Bureau of Investigation has issued a warning that unpatched and outdated medical devices are providing cyberattack opportunities to hackers.
In a Private Industry Notification issued Sept. 12, the FBI said it has identified an increasing number of vulnerabilities from unpatched medical devices that run outdated software and lack adequate security features.
While noting that medical device hardware often remains active for 10 to 30 years, underlying software lifecycles specified by the manufacturer can range from a couple of months to maximum life expectancy, allowing threat actors lots of time to discover and exploit vulnerabilities. Legacy medical devices are said to contain outdated software because they don’t receive manufacturer support for patchers or updates, opening the door to attackers.
In addition to software issues, other medical devices were found to have vulnerabilities that include being set to a default configuration, making them easily exploitable. Devices with customized software were noted to be susceptible because of issues with vulnerability patching, along with devices that were not initially designed with security in mind.
The FBI…
