Researchers find two dozen bugs in software used in medical and industrial devices

Written by

Microsoft researchers have discovered some two dozen vulnerabilities in software that is embedded in popular medical and industrial devices that an attacker could use to breach those devices, and in some cases cause them to crash.

The so-called “BadAlloc” vulnerabilities the researchers revealed on Thursday are in code that makes its way into infusion pumps, industrial robots, smart TVs and wearable devices. No less than 25 products made by the likes of Google Cloud, Samsung and Texas Instruments are affected.

The research serves as a critique of the coding practices of the designers of billions of so-called “internet of things” devices that are a feature of modern life.

There’s no evidence that the vulnerabilities have been exploited, according to Microsoft. But the Department of Homeland Security’s cybersecurity agency issued an advisory urging organizations to update their software.

It’s unclear just how many devices are affected by the software bugs, but they span numerous industries and countries. Microsoft declined to answer questions about the blog.

One of the affected products is the VXWorks operating software made by California-based Wind River Systems. The software is popular in the aerospace, automotive and medical sectors, and was affected by another class of critical vulnerabilities disclosed in 2019.

While researchers have been pointing out weaknesses in the designs of IoT devices for years, policymakers have recently taken more interest in the issue. A bill signed into law by President Donald Trump in December sets baseline security requirements for any IoT vendor that wants to sell its wares to the federal government.

The BadAlloc discovery highlights other intractable cybersecurity issues. Some of the flaws are embedded into code that some organizations run on their computer systems without realizing it. And for industrial organizations and hospitals, updating these systems may not be a matter of clicking a button. Software patches often have to be tested for specific environments, and be done on a schedule that doesn’t disrupt operations.