GE learned of a serious vulnerability affecting two brands of anesthesia machines in October. The company on Tuesday advised customers to take steps to protect them from being remotely tampered with.
The U.S. Department of Homeland Security on Tuesday warned that a serious and remotely exploitable security hole has been found in two anesthesia devices made by GE Healthcare.
DHS issued an ICS Medical Advisory (ICSMA-19-190-01) Tuesday for the GE Aestiva and GE Aespire Anesthesia Machines, versions 7100 and 7900. A vulnerability in software that runs the devices could allow a remote attacker to connect to and remotely modify device configurations, including changing the composition of gasses aspirated using the machines and silencing alarms.
GE Aestiva and Aespire devices that are connected to a network via a terminal server allow unauthorized access. That could allow a malicious actor on the same network as the devices to “modify gas composition parameters to correct flow sensor readings for gas density, modify device time and silence alarms after the initial audible alarm under certain circumstances,” GE said in a notice published on the company’s website.
The company said its anesthesia devices are considered “attended devices” and that most controls are managed on the device itself by a physician.
Medical devices commonly communicate via serial ports and are not compatible with TCP/IP networks used in most hospitals and medical settings. Terminal servers are often used to connect these devices to a local- or wide area network, according to CyberMDX Head of Research Elad Luz. “The most common reason that a hospital would use one of these would be telemetry,” he said.
However, Luz found that he could remotely change device settings without having to first authenticate to the device. Factors such as the composition of gasses distributed and the date and time of the device, as well as muting alarms.
Such capabilities aren’t typically accessible via remote interfaces. The fact that they were in the GE devices may be the result of a testing or calibration feature intended for use during manufacturing that was not disabled, he said. “Perhaps this was for technicians to come over and calibrate the machine,” he said.
GE said that while alarms could be silenced as a result of the authentication flaw, physicians standing next to a device would hear an “audible annunciation of the alarm and visual signaling of the alarm,” the company said.
The terminal server is separate from the GE anesthesia pumps. Such devices may have security features that require users to authenticate to connect, or not. Regardless, once connected to the Terminal Server, an attacker would not need to authenticate at all to the anesthesia machine in order to modify the operation of the anesthesia machines, he said. “I think a more secure approach could be taken,” Luz said.
The command that allowed a remote user to change the gas composition was only implemented in an early version of the proprietary protocol used in the GE devices, but was dropped in subsequent updates to that protocol. Unfortunately, Luz said, the company continued to offer a feature that allowed users to force the devices to use the older version of the protocol, re-exposing the gas composition feature. That suggests GE was aware of the presence of the gas composition feature and took steps to remove access to it.
CyberMDX informed GE of the holes in October, 2018 working through ICS-CERT, part of the Department of Homeland Security.
GE recommended that organizations use secure terminal servers when remotely connecting to its anesthesia devices and use “best practices” when deploying the devices in networked environments, including network segmentation, firewalls and other forms of device isolation.
While serious, the GE flaws are not unusual, Luz said. He said his team often finds remote control features on medical devices either as a convenience or a manufacturing oversight. Hospitals are often unaware that the remote features exist and aren’t provided with software that leverages the functions, he said.
Security issues in medical devices are not a new issue. The Health Care Industry Cyber Security Task Force “Report on Improving Cybersecurity in the Health Care Industry” (PDF), released in 2017, concluded that the entire healthcare sector was plagued by a “severe lack of cybersecurity talent” and the widespread, continued use of legacy devices that were never intended to be connected to the internet.
The Food and Drug Administration (FDA) in 2018 released a Medical Device Safety Action Plan (PDF) calls for a number of actions. They include seeking congressional approval for increased pre-market authority to require developers and manufacturers to “build capability to update and patch device security into a product’s design and to provide appropriate data regarding this capability to FDA.” The report would also require submission of a software bill of materials (SBM) for medical device customers and users as a condition of FDA approval.