Vulnerabilities could silence thousands of GE patient monitors

Vulnerabilities could silence thousands of GE patient monitors

In yet another incident revealing the vulnerability of networked devices, six GE Healthcare vulnerabilities were disclosed Jan. 23 by the U.S. Department of Homeland Security. The department described the six design flaws as exploitable remotely with a low skill level.

It is not known if the security flaws have been exploited, but the government warning states that General Electric, which owns GE Healthcare, is working on a patch and/or upgrade to eliminate the problems. They are the latest of multiple vulnerabilities found in hospital equipment, including anesthesia and respiratory devices made by GE and infusion pump systems.

According to Homeland Security’s Cybersecurity & Infrastructure Security Agency, five of the flaws have been scored as a ‘10’, which is the most critical on the open, industry standard Common Vulnerability Scoring System. The sixth one is scored 8.5 (out of 10) on the National Infrastructure Advisory Council severity scale.

The agency warns that attackers could set off medical-condition alarms or, worse, shut them off.

According to information-security publication Threatpost, Carescape products involved are used around the world and could number in the hundreds of thousands. Some security credentials in affected machines are found in the products’ documentation or can be recovered from the devices themselves.

Affected equipment includes:
ApexPro telemetry server versions 4.2 and prior
Carescape telemetry server versions 4.2 and prior
Clinical Information Center (CIC) versions 4.X and 5.X
Carescape telemetry server version 4.3 (impacted by CVE-2020-6962 and CVE-2020-6961)
Carescape central station (CSCS) versions 1.X
Carescape central station (CSCS) versions 2.X (impacted by CVE-2020-6962 and CVE-2020-6964)
B450 version 2.X (impacted by CVE-2020-6962 and CVE-2020-6965)
B650 version 1.X (impacted by CVE-2020-6962 and CVE-2020-6965)
B650 version 2.X (impacted by CVE-2020-6962 and CVE-2020-6965)
B850 version 1.X (impacted by CVE-2020-6962 and CVE-2020-6965)

The devices also had an insecure software update capability that either accepted any updates that were pushed to them or required an encryption key that was hard encoded on servers that were shipped with the devices.

It is recommended that the proprietary General Electric MC and IX networks on which the devices depend be isolated or run external traffic through a properly programmed router/firewall. The firewall should be set up to block all traffic initiated outside the MC and IX networks.

Beyond that, organizations should restrict unauthorized physical access and institute password management practices.

The cybersecurity agency’s notice credited Elad Luz of CyberMDX with reporting the flaws.

Article Topics

 |   |   |   |   | 

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Edge Ecosystem Videos

Featured Edge Computing Company

REGISTER for the Wind River Automation Webinar

Wind River Automation Webinar - Register NOW!

Latest News