Vulnerabilities could silence thousands of GE patient monitors
In yet another incident revealing the vulnerability of networked devices, six GE Healthcare vulnerabilities were disclosed Jan. 23 by the U.S. Department of Homeland Security. The department described the six design flaws as exploitable remotely with a low skill level.
It is not known if the security flaws have been exploited, but the government warning states that General Electric, which owns GE Healthcare, is working on a patch and/or upgrade to eliminate the problems. They are the latest of multiple vulnerabilities found in hospital equipment, including anesthesia and respiratory devices made by GE and infusion pump systems.
According to Homeland Security’s Cybersecurity & Infrastructure Security Agency, five of the flaws have been scored as a ‘10’, which is the most critical on the open, industry standard Common Vulnerability Scoring System. The sixth one is scored 8.5 (out of 10) on the National Infrastructure Advisory Council severity scale.
The agency warns that attackers could set off medical-condition alarms or, worse, shut them off.
According to information-security publication Threatpost, Carescape products involved are used around the world and could number in the hundreds of thousands. Some security credentials in affected machines are found in the products’ documentation or can be recovered from the devices themselves.
| Affected equipment includes: |
|---|
| ApexPro telemetry server versions 4.2 and prior |
| Carescape telemetry server versions 4.2 and prior |
| Clinical Information Center (CIC) versions 4.X and 5.X |
| Carescape telemetry server version 4.3 (impacted by CVE-2020-6962 and CVE-2020-6961) |
| Carescape central station (CSCS) versions 1.X |
| Carescape central station (CSCS) versions 2.X (impacted by CVE-2020-6962 and CVE-2020-6964) |
| B450 version 2.X (impacted by CVE-2020-6962 and CVE-2020-6965) |
| B650 version 1.X (impacted by CVE-2020-6962 and CVE-2020-6965) |
| B650 version 2.X (impacted by CVE-2020-6962 and CVE-2020-6965) |
| B850 version 1.X (impacted by CVE-2020-6962 and CVE-2020-6965) |
The devices also had an insecure software update capability that either accepted any updates that were pushed to them or required an encryption key that was hard encoded on servers that were shipped with the devices.
It is recommended that the proprietary General Electric MC and IX networks on which the devices depend be isolated or run external traffic through a properly programmed router/firewall. The firewall should be set up to block all traffic initiated outside the MC and IX networks.
Beyond that, organizations should restrict unauthorized physical access and institute password management practices.
The cybersecurity agency’s notice credited Elad Luz of CyberMDX with reporting the flaws.
Edge roundup: Two mystery boxes, a sales spike and coveted certification
Venture money to bring LoRa sensors to SST Wireless
Article Topics
encryption | GE Healthcare | healthcare | network | security | vulnerability
Comments