Researchers find two dozen bugs in software used in medical and industrial devices

It's a critique of the coding practices of the designers of billions of so-called IoT devices.
Internet of things (IoT)
(Getty Images)

Microsoft researchers have discovered some two dozen vulnerabilities in software that is embedded in popular medical and industrial devices that an attacker could use to breach those devices, and in some cases cause them to crash.

The so-called “BadAlloc” vulnerabilities the researchers revealed on Thursday are in code that makes its way into infusion pumps, industrial robots, smart TVs and wearable devices. No less than 25 products made by the likes of Google Cloud, Samsung and Texas Instruments are affected.

The research serves as a critique of the coding practices of the designers of billions of so-called “internet of things” devices that are a feature of modern life.

There’s no evidence that the vulnerabilities have been exploited, according to Microsoft. But the Department of Homeland Security’s cybersecurity agency issued an advisory urging organizations to update their software.


It’s unclear just how many devices are affected by the software bugs, but they span numerous industries and countries. Microsoft declined to answer questions about the blog.

One of the affected products is the VXWorks operating software made by California-based Wind River Systems. The software is popular in the aerospace, automotive and medical sectors, and was affected by another class of critical vulnerabilities disclosed in 2019.

While researchers have been pointing out weaknesses in the designs of IoT devices for years, policymakers have recently taken more interest in the issue. A bill signed into law by President Donald Trump in December sets baseline security requirements for any IoT vendor that wants to sell its wares to the federal government.

The BadAlloc discovery highlights other intractable cybersecurity issues. Some of the flaws are embedded into code that some organizations run on their computer systems without realizing it. And for industrial organizations and hospitals, updating these systems may not be a matter of clicking a button. Software patches often have to be tested for specific environments, and be done on a schedule that doesn’t disrupt operations.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts