New York, NY, December 8, 2020 — A vulnerability has been discovered in a range of GE Healthcare devices popular in hospitals, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) disclosed today. The vulnerability, discovered by healthcare cybersecurity provider CyberMDX, impacts dozens of radiological devices and could allow an attacker gain access to sensitive PHI data, alter data, and impact the availability of the machine.
The CyberMDX team discovered this vulnerability after noticing similar patterns of unsecured communications between medical devices and the corresponding vendor’s servers across several different HDOs. After detecting the anomalies, the research further investigated discovering multiple recurring maintenance scenarios instigated automatically by GE’s server. The maintenance protocols rely on the machine having certain services available/ports open and using specific globally-used credentials. These global credentials provide hackers with easy access to crucial medical devices. They also enable them to run arbitrary code on impacted machines and provide access to any data from the machine.
GE has confirmed that the vulnerability impacts many radiological devices including CT Scanners, PET machines, Molecular Imaging Devices, MRI Machines, Mammography Devices, X-Ray Machines, and UltraSound Devices. The vulnerability also impacts certain workstations and imaging devices used in surgery. The list of affected product lines can be found here.
CVE-2020-25179 was given a CVSS score of 9.8, reflecting a critical severity, in the ICS-CERT Advisory ICSMA-20-343-01.
“Over the past few months we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights,” said Elad Luz, Head of Research at CyberMDX. “Protecting medical devices so that hospitals can ensure quality care is of utmost importance. We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities.”
The MDhex-Ray discovery is the latest in a growing list for the CyberMDX research team. It follows a series of six vulnerabilities disclosed in January – dubbed MDhex, as well as vulnerabilities discovered in infusion pumps and anesthesia machines. The team works closely and frequently with regulatory bodies including CISA, MITRE and the FDA as well as with numerous medical device manufacturers and HDOs.
CyberMDX is an IOT security leader dedicated to protecting the quality care of health delivery worldwide. CyberMDX provides cloud-based cybersecurity solutions that support the advancement of The Internet of Medical Things. The CyberMDX solution identifies endpoints and assesses vulnerabilities to detect, respond to, and prevent cyber incidents. Deployed worldwide, CyberMDX is designed to integrate with our customers’ existing environments through its scalable, easy-to-deploy and agentless solution.