Vulnerable GE anesthesia machines can be manipulated by attackers

A vulnerability affecting several anesthesia and respiratory devices manufactured by General Electric (GE) Healthcare could allow attackers to manipulate the devices’ settings and silence alarms, CyberMDX researchers have found.

About the vulnerability (CVE-2019-10966)

CVE-2019-10966 affects versions 7100 and 7900 of the GE Aestive and GE Aespire machines, primarily used in the U.S.

The vulnerability is exploitable only if they are connected to a hospital network though their serial communication port and via terminal server, and only by an attacker who already has access to the network.

“Successful exploitation of this vulnerability could allow an attacker the ability to remotely modify GE Healthcare anesthesia device parameters. This results from the configuration exposure of certain terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks,” ICS-CERT noted.

CyberMDX researchers say that they conducted several field tests with vulnerable machines and have confirmed the vulnerability.

The first step to exploitation is to force the devices to revert to an earlier, less secure version of the communication protocol they use. This allows an attacker who has knowledge of command conventions to:

• See the dosages and drug names being used by the patients in a room
• Make gas composition parameter changes
• Manipulate barometric pressure settings and anesthetic agent type selection
• Make date and time changes
• Silence alarms.

“Anesthesiologists will usually have strict protocols requiring them to document procedures, dosages, vital signs, and more. This is the main reason anesthesia machines are connected to the network — reporting and documenting their status and actions,” the team noted.

“It is in this regard that alterations to date and time settings can prove consequential — jumbling log chronology and undermining the efficacy of audit trails.”

What to do to minimize the risk?

Despite CyberMDX’s claims, GE Healthcare says that “the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm,” and that “the potential ability to modify GE Healthcare anesthesia device parameters or silence alarms does not demonstrate a vulnerability of the GE Healthcare anesthesia device functionality itself.”

GE does not plan for fix the flaw, which effectively arises from the fact that the machines don’t require or use authentication.

Instead, they advise healthcare orgs to use terminal servers that have security features like strong encryption, VPN, authentication of users, network controls, logging, audit capability, secure device configuration and management options.