A vulnerability has been discovered in a range of GE Healthcare devices popular in hospitals, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) disclosed December 8. The vulnerability, discovered by CyberMDX, impacts dozens of radiological devices and could allow an attacker access to sensitive PHI data, alter data and impact the availability of the machine.
The CyberMDX team discovered this vulnerability after noticing similar patterns of unsecured communications between medical devices and the corresponding vendor’s servers across several different HDOs. After detecting the anomalies, the research further investigated discovering multiple recurring maintenance scenarios instigated automatically by GE’s server. The maintenance protocols rely on the machine having certain services available/ports open and using specific globally used credentials. These global credentials provide hackers with easy access to crucial medical devices. They also enable them to run arbitrary code on impacted machines and provide access to any data from the machine.
GE has confirmed that the vulnerability impacts many radiological devices including CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, X-ray machines and ultrasound devices. The vulnerability also impacts certain workstations and imaging devices used in surgery. The list of affected product lines can be found here.
CVE-2020-25179 was given a CVSS score of 9.8, reflecting a critical severity, in the ICS-CERT Advisory ICSMA-20-343-01.
“Over the past few months, we’ve seen a steady rise in the targeting of medical devices and networks, and the medical industry is unfortunately learning the hard way the consequences of previous oversights,” said Elad Luz, head of research at CyberMDX. “Protecting medical devices so that hospitals can ensure quality care is of utmost importance. We must continue to eliminate easy access points for hackers and ensure the highest level of patient safety is upheld across all medical facilities.”
The MDhex-Ray discovery is the latest in a growing list for the CyberMDX research team. It follows a series of six vulnerabilities disclosed in January – dubbed MDhex, as well as vulnerabilities discovered in infusion pumps and anesthesia machines. The team works closely and frequently with regulatory bodies including CISA, MITRE and the FDA as well as with numerous medical device manufacturers and HDOs.