Risk: Medium. A CVSS v3 grade of 5.3 has been calculated. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Date Discovered by CyberMDX: October 29, 2018
ICS-CERT Advisory date: July 9, 2019
CyberMDX’s research team discovered a vulnerability related to the GE Aestiva and GE Aespire devices (models 7100 and 7900). If an attacker gains access to a hospital’s network and if the GE Aestiva or GE Aespire devices are connected via terminal servers, the attacker can force the device(s) to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization. When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine. The attack could lead to:
This could impact the confidentiality, integrity and availability of a component of the system.
The vulnerability in question pertains specifically to the GE Aestive and GE Aespire machines, versions 7100 and 7900 respectively (4 combinations in total).
Anesthesiologists will usually have strict protocols requiring them to document procedures, dosages, vital signs, and more.
This is the main reason anesthesia machines are connected to the network — reporting and documenting their status and actions. (It is in this regard that alterations to date and time settings can prove consequential — jumbling log chronology and undermining the efficacy of audit trails.)
These machines have a serial communication port and the network integration is achieved via terminal server.
CyberMDX’s research team conducted several field tests with the machines in question and have successfully confirmed the vulnerability.
It should however be noted that the team only attempted the command to silence the device’s alarm, as adjustments to settings for chemical constitution and time can have complicated and potentially long-lasting consequences that were best to avoid in a real hospital environment.
Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:
Attack vector: Network. This attack is over TCP.
Complexity: Low. Only requires knowledge of command conventions.
Privileges Required: None. The machine does not require or use authentication.
User Interaction: None, this is done remotely with nothing needed on the user side.
Confidentiality: None. An attacker can see the dosages and drug names being used by the patients in a room.
Availability: Low. Muting alarms and setting time/date may affect the trustworthiness of information.
GE Healthcare plans to provide updates and additional security information about this vulnerability for affected users. Please check their website for more information.
Elad Luz, Head of Research at CyberMDX
CyberMDX’s research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The comprehensive threat intelligence analyst team tirelessly works to help protect hospitals and healthcare organizations from malicious attacks on connected medical devices. The team’s researchers, white hackers and engineers collect information about potential and existing threats to understand attacker motivations, intentions, and methodology and deliver the best protection against attacks and malware.