Threat Intel: NUCLEUS:13 Vulnerabilities

Exploitation of the NUCLEUS:13 Vulnerabilities Could Enable Medical Care Disruption in Hospitals
Daniel Brody
Nov 11, 2021
Threat Intelligence

What Is NUCLEUS:13?

NUCLEUS:13 is a set of 13 recently identified vulnerabilities that affect Nucleus NET, the TCP/IP stack of the Nucleus Real-Time Operating System (RTOS). The TCP/IP stack is software that enables basic network communication for all IP-connected devices, including what are commonly categorized as IoT (Internet of Things), IoMT (Internet of Medical Things), OT (Operational Technology) and IT (Informational Technology) devices. NUCLEUS:13 is the latest in a long line of TCP/IP stack vulnerabilities that includes NAME:WRECK, Ripple20, AMNESIA:33, and many others.

Why Is NUCLEUS:13 So Threatening to Healthcare Organizations?

Nucleus is deployed in over three billion devices, meaning the potential attack surface of devices affected by these vulnerabilities is huge. If a device with one of the NUCLEUS:13 vulnerabilities is exploited, attackers may be able to gain unauthorized access to a hospital network, remotely execute malicious code or launch a denial-of-service attack. In a worst-case scenario, attackers could potentially disrupt medical care, service availability, and other critical hospital processes.

Which Medical Devices Are Vulnerable to NUCLEUS:13?

Some of the most common medical devices that leverage Nucleus RTOS include various ventilators, patient monitors and anesthesia machines. Healthcare organizations are also likely to be affected by building automation controllers that many hospitals use to control functions such as HVAC (Heating, Ventilation and Air Conditioning), physical access controls, lighting, and fire alarm systems. While these building automation controllers are not directly hooked up to patients, their manipulation can still negatively affect patient care and safety.

What Can Healthcare Organizations Do to Mitigate the NUCLEUS:13 Threat?

The good news is that the developer of Nucleus, Siemens, has already issued patches for all the vulnerabilities that make up the NUCLEUS:13. Device vendors using Nucleus should provide updates to their customers that include the applied patch.

The bad news is that it could take a long time for the hundreds of device manufacturers to assess the risk each vulnerability poses to their devices, apply the update, and push the update out to individual customer devices. That could take months by itself. Then, companies and hospitals will need to confirm that their IT staff can prioritize the risks of devices affected by NUCLEUS:13, make sure the affected devices are offline, and update the relevant firmware. This will not always be a straightforward or practical option, and it will vary greatly by device type and logistical considerations.

While that long term patch application process plays out, hospitals will still need to keep medical and OT devices affected by NUCLEUS:13 secure. They can do this by leveraging network segmentation or disabling support for unused protocols to limit the exposure of critical devices that are vulnerable, and monitoring network traffic for malicious or anomalous traffic that may reveal an attacker trying to exploit known vulnerabilities such as NUCLEUS:13.

How Cynerio’s Healthcare IoT Cybersecurity Platform Works to Protect Hospitals from NUCLEUS:13 and other Device Vulnerabilities

Cynerio is always working to ensure the security of your medical devices. In the case of NUCLEUS:13, here are some of the ways we are carrying this out:

  • We are monitoring the patches released by all affected device vendors on the Cynerio platform. As those patches are released, we will show you exactly where to obtain the patch and provide step-by-step instructions for how to apply the patch across your vulnerable device inventory.
  • Cynerio monitors the network traffic of all IoT, OT and IoMT devices and alerts for malicious, anomalous, or otherwise suspicious activity that could be consistent with known or zero-day vulnerabilities present on devices. The platform will provide detailed instructions on how to virtually patch devices affected by NUCLEUS:13 if a vendor has not provided a patch yet.
  • Cynerio’s medical-first network segmentation validation engine gives hospitals a virtual environment to test potential segmentation options before execution so that effective IoT security can be confidently implemented, and device lifecycles safely lengthened, without disruptions or additional risk. Devices can also be quarantined through restriction of external communication paths until network segmentation or patching is executed on the device.

Additional Resources

Keep your finger on the pulse of Healthcare IoT security

Get Your Free Pass to HIMSS21

August 9 -13, Las Vegas

HOW? Easy! If you are a Healthcare IT Executive and you book a 30-minute call with us before July 30th, you get a free pass (valued at $1295)

Book a Call

*Please note that there is limited pass availability