Vulnerabilities that fuzzing can catch

The new FDA standard offers the medical device field a chance to catch up with and address some of the vulnerabilities that fuzzing has found in other systems.

In 2019, for example, a new cybersecurity vulnerability called Urgent11 was discovered in a real-time operating system called VxWorks, which is widely used in embedded devices, including medical equipment, industrial control systems, and IoT devices. Urgent11 vulnerabilities are significant because they allow remote attackers to gain unauthorized access to vulnerable devices and potentially execute arbitrary code or launch malicious attacks. The flaws stem from a TCP/IP networking stack that is part of VxWorks and affect versions 6.5 and prior.

These types of vulnerabilities can be exploited by sending specially crafted packets to the targeted device, triggering a buffer overflow or other memory corruption issues. Once exploited, an attacker can potentially take control of the affected device, leading to severe consequences such as remote code execution, data theft, system disruption, or even compromised connected networks. The use of fuzz testing on significant software releases could help eliminate certain vulnerabilities that are hard to catch and prevent zero-day vulnerabilities. Urgent11 has raised awareness about the importance of timely security updates, vulnerability management, and risk assessment in the context of IoT and embedded devices.