CISA Discovers Vulnerabilities in GE Healthcare Radiological Devices

December 17, 2020 by Alessandro Mascellino

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) discovered a credentials issue affecting radiological devices in hospitals.

The Industrial Control Systems (ICS) Medical Advisory (ICSMA-20-343-01) published on December 8 explicitly mentions two bugs affecting GE Healthcare imaging and ultrasound products. The vulnerabilities mentioned in the report are an unprotected transport of credentials and exposure of sensitive system information to an unauthorized control sphere.


High-Risk Vulnerabilities

CyberMDX researchers discovered the bugs in May of 2020. The bugs affect a variety of medical devices commonly used in hospitals. These include CT scanners, ultrasound devices, PET machines, molecular imaging devices, MRI machines, mammography devices, and X-ray machines.


GE CT system

A computed tomography (CT) System. Image courtesy of GE Healthcare.


The vulnerabilities are caused by default credentials used by GE Healthcare management software that controls the devices’ PC, based on a Unix operating system (OS). GE Healthcare uses the management software to push updates and maintenance operations directly to the devices. Due to the bugs, credentials are publicly exposed in the process.

The first bug refers to the exposure of specific credentials during network transmission operations. The second allows both exposed and default credentials to be utilized to access or modify sensitive information.

Both flaws were assigned a Common Vulnerability Scoring System (CVSS) severity score of 9.8 by the CISA. CVSS is an open industry standard for identifying cybersecurity risks based on several metrics. Since CVSS scores run from 0 to 10, with 10 being the most severe, the newly discovered GE Healthcare vulnerabilities are classified as high risk.


Sensitive Information at Risk

Failing to mitigate these bugs may result in the exposure of specific credentials during transport over the network. If exploited, these vulnerabilities could allow an attacker to gain remote admin access to the affected devices with the same privilege level as GE Healthcare operators.

The report explains, “A successful exploitation could expose sensitive data such as a limited set of patient health information (PHI) or could allow the attacker to run arbitrary code, which might impact the availability of the system and allow manipulation of PHI.”

GE Healthcare released specific guidelines to mitigate the bugs. The CISA Medical Advisory also provides some generic advice that is applicable to secure the affected devices.


CISA logo

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) logo. Image courtesy of CISA.


According to the CISA, these include proper segmentation of the local facility network and creating "explicit access rules based on source/destination IP/port for all connections, including those used for remote support."

CISA also advised organizations to utilize IPSec VPN and explicit access rules at the Internet edge before forwarding incoming connections to the local facility network. 


Unix OS in Industrial Automation

Unix-based systems are used commonly in supervisory control and data acquisition (SCADA) systems and PLC for years. Due to specific vulnerabilities and weak security protocols, these systems have already been targets of malicious activity in the past. 

For example, a ransomware infection shut down a U.S. natural gas pipeline for two days last February. In May, the Israeli Government issued a security alert after hackers targeted SCADA systems across the country.

To protect companies from malicious actors, and ransomware attacks in particular, CISA released the Ransomware Guide in October.

There are also various design-based fortifications to consider to keep your industrial measurement and control systems safe and prevent malicious attacks.