Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Vulnerabilities Found in GE Healthcare Patient Monitoring Products

Several potentially serious vulnerabilities have been found in patient monitoring products made by GE Healthcare, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and healthcare cybersecurity firm CyberMDX revealed on Thursday.

Several potentially serious vulnerabilities have been found in patient monitoring products made by GE Healthcare, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and healthcare cybersecurity firm CyberMDX revealed on Thursday.

The vulnerabilities were discovered by CyberMDX researchers during an investigation into GE’s CARESCAPE Clinical Information Center (CIC) Pro product. The analysis ultimately resulted in the discovery of six flaws across CIC Pro, patient monitors, servers, and telemetry systems.

The vulnerabilities, a majority of which have been assigned critical severity ratings, have been collectively called MDhex by CyberMDX. According to the cybersecurity firm, they can be exploited to make devices unusable or interfere with their functionality, change alarm settings, and obtain protected health information (PHI).GE CARESCAPE patient monitor

One of the vulnerabilities can be exploited to establish a remote SMB connection and read or write files on the system. An attacker can connect to the targeted system using hardcoded credentials that are shared across CARESCAPE devices and which can be easily obtained by performing a password recovery on the Windows XP operating system embedded in affected devices.

CyberMDX researchers also discovered hardcoded VNC credentials, which can be easily obtained from product documentation.

GE Healthcare has also inadvertently exposed SSH private keys, making it possible for hackers to remotely connect to devices and execute malicious code.

Another vulnerability is related to the presence of the KaVoom! KM keyboard-mouse software, which enables users to centrally manage multiple workstations. While this functionality can be useful for legitimate users, it can also be abused by malicious actors to change device settings and alter data.

The researchers also found that the Webmin system configuration tool present on affected devices is old and full of known vulnerabilities.

Finally, they discovered that the software update manager running on impacted GE devices does not properly verify updates, allowing an attacker to cause a DoS condition or install malicious software.

Elad Luz, head of research at CyberMDX, told SecurityWeek that the vulnerabilities, particularly the ones involving hardcoded credentials, are not difficult to exploit, and an attack could potentially be routed from the internet given that hospitals are typically not isolated from the internet.

GE Healthcare is working on developing patches for these vulnerabilities and the updates, which will contain additional security enhancements as well, should become available in the second quarter of 2020. In the meantime, the company has advised facilities using the affected devices to follow network management best practices in order to prevent potential attacks.

The company is not aware of any incidents involving these vulnerabilities and it has pointed out that monitoring devices contain minimal PHI, such as name and basic vitals, but not databases of stored information. Furthermore, even this minimal data is only stored on monitoring devices for a brief period — depending on the device and its configuration — and in most cases it should be deleted when the patient is discharged.

This is not the first time CyberMDX has found flaws in GE Healthcare products. Last year, the cybersecurity company reported discovering weaknesses in anesthesia machines.

GE initially downplayed the severity of the flaws and said they don’t pose any risk to patients, but later admitted that their exploitation can have serious consequences.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.