by John R. Fischer
, Senior Reporter | December 08, 2020
A critical vulnerability puts more than 100 of GE Healthcare's radiological devices at risk of being hacked, with attackers able to access and alter sensitive personal health information.
Uncovered by cybersecurity researcher CyberMDX, the flaw involves default passwords found on GE's product management software and affects CTs, PET scanners, molecular imaging devices, MR systems, mammography solutions, X-ray machines, and ultrasound systems. It has been dubbed the MDhex-Ray discovery.
“Upon discovery of the vulnerability, CyberMDX brought the issues we discovered to GE's attention, along with different scenarios we have seen in the field of GE performing automated maintenance in insecure ways. We later had several calls together talking about the issues and suggesting different mitigation techniques that GE could use, working with GE throughout the process,” Elad Luz, head of research at CyberMDX, told HCB News.
Quest Imaging Solutions provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs
The list of specific modalities affected can be found on the CyberMDX website: https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01
CyberMDX identified the issue after observing medical devices and the corresponding vendor’s servers communicating with one another in unsecured ways across several different HDOs. Further investigation revealed the cause to be multiple recurring maintenance scenarios instigated automatically by GE’s servers. The maintenance protocols require machines to have certain services available and ports open and to use specific globally-used credentials. It is these global credentials that create easy access to the devices.
In addition to machines, the vulnerability also affects certain workstations and imaging devices used in surgery. The severity of the situation has earned the threat a CVSS score of 9.8 in the ICS-CERT Advisory, making it critical.
GE says the flaw is not directly accessible outside the customer's network and that no incidents or injuries associated with the vulnerability have been reported in a clinical use setting. "GE Healthcare has performed a rigorous left-right look throughout their product portfolio, followed by safety risk assessment of all products potentially impacted to assess worst-case scenarios of access and their potential outcome. The result of these assessments is that there is no safety concern associated, and you may continue to use the devices," said the company in a security post on its website.
The best solution according to Luz is to introduce security requirements at the design phase of the device, and to use standard authentication techniques and standard security protocols. “Sometimes vendors reinvent the wheel when implementing security, and this is unnecessary — there are standard and proven methods for most scenarios.”
CyberMDX previously discovered a group of vulnerabilities specifically within hard-coded credentials like this at the beginning of the year for patient monitoring devices. The MDhex-Ray discovery follows a group of six vulnerabilities disclosed since January that have been dubbed MDhex, along with others found in infusion pumps and anesthesia machines.