General Electric is recommending not connecting two models of its anesthesia machines (GE Aestiva and GE Aespire, models 7100 and 7900) to hospital networks after researchers have discovered security flaws in the devices.
The experts at the healthcare cybersecurity firm CyberMDX have found some flaws in the firmware of the anesthesia machines, the issues could expose patients to serious risks. The flaws could be exploited by an attacker on the same network to change machines’settings.
“CyberMDX’s research team discovered a vulnerability related to the GE Aestiva and GE Aespire devices (models 7100 and 7900).” reads the report published by CyberMDX. “If an attacker gains access to a hospital’s network and if the GE Aestiva or GE Aespire devices are connected via terminal servers, the attacker can force the device(s) to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization.”
Experts pointed out that the devices lack authentication allowing anyone of the same network to execute commands supported by the machines.
An attacker can change the concentration of the anesthetic agents in the gas mix or the gas pressure, silent the alarms, modify timestamps of internal logs.
“When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine.” continues the report. “The attack could lead to:
The vulnerabilities could represent a serious risk for the patients and unfortunately, it could be very simple for hackers to access to a hospital’s infrastructure.
CyberMDX reported the vulnerability to GE in October 2018, at the time of writing the company only plans to share suggestions to mitigate the problems.
“GE Healthcare is aware of a disclosure made by CyberMDX, describing how connecting a device serial port via an add-on and insufficiently secured terminal server to a TCP/IP network may lead to unauthorized access to such device. The disclosure describes a situation with a GE Healthcare anesthesia device that may allow a malicious party on the same network to modify gas composition parameters to correct flow sensor readings for gas density, modify device time and silence alarms after the initial audible alarm under certain circumstances.” reads the security advisory published by the company. “There is not an identified vulnerability in the device itself. GE Healthcare has determined that this scenario does not provide access to data and does not introduce
This attack is over TCP, for this reason, GE recommends disconnecting the vulnerable anesthesia machines from the hospital’s network.
GE suggests using secure terminal servers in case the anesthesia machines need to be connected to a central management system.
The company pointed out that it is impossible to change gas mix parameters on systems manufactured after 2009, only older devices are affected by the issues.
“Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anesthesia device parameters. This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks.” reads the alert.