Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Vulnerabilities Found in GE Healthcare Patient Monitoring Products

Several potentially serious vulnerabilities have been found in patient monitoring products made by GE Healthcare, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and healthcare cybersecurity firm CyberMDX revealed on Thursday.

Several potentially serious vulnerabilities have been found in patient monitoring products made by GE Healthcare, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and healthcare cybersecurity firm CyberMDX revealed on Thursday.

The vulnerabilities were discovered by CyberMDX researchers during an investigation into GE’s CARESCAPE Clinical Information Center (CIC) Pro product. The analysis ultimately resulted in the discovery of six flaws across CIC Pro, patient monitors, servers, and telemetry systems.

The vulnerabilities, a majority of which have been assigned critical severity ratings, have been collectively called MDhex by CyberMDX. According to the cybersecurity firm, they can be exploited to make devices unusable or interfere with their functionality, change alarm settings, and obtain protected health information (PHI).GE CARESCAPE patient monitor

One of the vulnerabilities can be exploited to establish a remote SMB connection and read or write files on the system. An attacker can connect to the targeted system using hardcoded credentials that are shared across CARESCAPE devices and which can be easily obtained by performing a password recovery on the Windows XP operating system embedded in affected devices.

CyberMDX researchers also discovered hardcoded VNC credentials, which can be easily obtained from product documentation.

GE Healthcare has also inadvertently exposed SSH private keys, making it possible for hackers to remotely connect to devices and execute malicious code.

Another vulnerability is related to the presence of the KaVoom! KM keyboard-mouse software, which enables users to centrally manage multiple workstations. While this functionality can be useful for legitimate users, it can also be abused by malicious actors to change device settings and alter data.

The researchers also found that the Webmin system configuration tool present on affected devices is old and full of known vulnerabilities.

Finally, they discovered that the software update manager running on impacted GE devices does not properly verify updates, allowing an attacker to cause a DoS condition or install malicious software.

Advertisement. Scroll to continue reading.

Elad Luz, head of research at CyberMDX, told SecurityWeek that the vulnerabilities, particularly the ones involving hardcoded credentials, are not difficult to exploit, and an attack could potentially be routed from the internet given that hospitals are typically not isolated from the internet.

GE Healthcare is working on developing patches for these vulnerabilities and the updates, which will contain additional security enhancements as well, should become available in the second quarter of 2020. In the meantime, the company has advised facilities using the affected devices to follow network management best practices in order to prevent potential attacks.

The company is not aware of any incidents involving these vulnerabilities and it has pointed out that monitoring devices contain minimal PHI, such as name and basic vitals, but not databases of stored information. Furthermore, even this minimal data is only stored on monitoring devices for a brief period — depending on the device and its configuration — and in most cases it should be deleted when the patient is discharged.

This is not the first time CyberMDX has found flaws in GE Healthcare products. Last year, the cybersecurity company reported discovering weaknesses in anesthesia machines.

GE initially downplayed the severity of the flaws and said they don’t pose any risk to patients, but later admitted that their exploitation can have serious consequences.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.