Siemens software vulnerabilities potentially put millions of medical devices at risk

The U.S. Cybersecurity and Infrastructure Security Agency has issued an alert about critical vulnerabilities in Siemens software that could potentially impact millions of medical devices from multiple manufacturers. The cyber agency, following the lead of the researchers who identified the weaknesses, scored one of the vulnerabilities 9.8 on a 10-point risk scale, reflecting the potential for hackers to disrupt the operation of critical medical devices such as anesthesia machines and bedside monitors. CISA's alert states that Siemens has released updates for several of the affected products and the company is advising users of unpatched devices to take countermeasures but "has not identified any additional specific workarounds or mitigations." A Siemens spokesperson in an emailed statement said the company is aware of the vulnerabilities and is investigating to identify if any of its products are affected. The researchers discovered a set of 13 vulnerabilities that affect Siemens' software, which is often used in computers embedded in larger systems such as medical devices. Forescout researchers used various techniques to estimate the number of devices affected by the vulnerabilities, known collectively as Nucleus:13, and discovered evidence of the use of the software in Zoll defibrillators, Zonare ultrasound devices, a GE Healthcare anesthesia machine and a Nihon Kohden bedside monitor.