Security Problems In GE Ultrasound Machines

Security researchers have uncovered nearly a dozen security flaws affecting the GE HealthCare Vivid Ultrasound product family. These vulnerabilities could potentially be exploited by malicious actors to tamper with patient data or even install ransomware on the devices. Such risks highlight the critical need for regular system updates and robust security measures.

Understanding the Vulnerabilities

The vulnerabilities impact the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application, as well as the EchoPAC software installed on doctors' Windows workstations. The Vivid T9's web application is exposed on the localhost interface, allowing users to perform administrative actions. EchoPAC helps access multi-dimensional echo, vascular, and abdominal ultrasound images.

Exploiting these flaws requires initial access to the hospital environment and physical interaction with the device. Once access is gained, attackers can execute arbitrary code with administrative privileges. This could allow them to implant ransomware, lock out systems, and tamper with or exfiltrate patient data.

Who Is at Risk?

Healthcare facilities using the GE HealthCare Vivid Ultrasound product family are at risk. This includes hospitals, clinics, and medical offices that rely on these systems for diagnostic imaging and patient data management. The implications extend to patients whose data could be compromised, manipulated, or held ransom.

Specific Vulnerabilities Identified

• CVE-2024-27107: A severe vulnerability involving hard-coded credentials, with a CVSS score of 9.6.

• CVE-2024-1628: Command injection vulnerability.

• CVE-2024-27110 and CVE-2020-6977: Execution with unnecessary privileges.

• CVE-2024-1630 and CVE-2024-1629: Path traversal vulnerabilities.

• CVE-2020-6977: Protection mechanism failure.

An exploit chain using CVE-2020-6977 can gain local access to the device, then leverage CVE-2024-1628 to achieve code execution. Attackers could also use exposed USB ports with malicious thumb drives to expedite the process, emulating keyboard and mouse actions faster than a human could.

Protecting Your Equipment

1. Regular Software Updates: Ensure that all devices and software are regularly updated with the latest security patches. GE HealthCare and other manufacturers provide updates to mitigate known vulnerabilities.

2. Network Security: Implement strong network security measures, including firewalls, intrusion detection systems, and network segmentation. This can help prevent unauthorized access to medical devices and systems.

3. Physical Security: Restrict physical access to medical devices. Only authorized personnel should be able to interact with critical equipment, reducing the risk of physical tampering.

4. Employee Training: Educate healthcare staff about the importance of cybersecurity. Training should include recognizing phishing attempts and understanding the risks associated with using unauthorized USB devices.

5. Regular Security Audits: Conduct regular security audits to identify and address potential vulnerabilities. This proactive approach can help detect issues before they are exploited by attackers.

6. Backup and Recovery Plans: Develop and maintain robust backup and recovery plans. Regular backups can ensure that patient data is not lost in the event of a ransomware attack, and recovery plans can minimize downtime.

Recent Security Issues in Medical Devices

This disclosure comes on the heels of other notable security flaws in medical and IoT devices. For instance, vulnerabilities in the Merge DICOM Toolkit for Windows could trigger denial-of-service conditions. Similarly, a severe flaw in Siemens SIMATIC Energy Manager (EnMPro) allowed remote code execution with SYSTEM privileges.

Another example includes security weaknesses in the ThroughTek Kalay Platform, used in IoT devices like baby monitors and security cameras. These flaws allowed attackers to escalate privileges and execute commands as root, posing significant privacy and safety risks.

Conclusion

The discovery of these vulnerabilities in GE HealthCare's ultrasound products underscores the importance of robust cybersecurity measures in the healthcare sector. Regular updates, strong network and physical security, employee training, and proactive security audits are essential steps in protecting sensitive medical equipment and patient data from malicious threats. As technology continues to evolve, so too must the vigilance and preparedness of those responsible for safeguarding our critical healthcare infrastructure.