GE Anesthesia and Respiratory Device Vulnerability

Vedere Labs Team (formerly CyberMDX) Discovers Medical Device Vulnerability in GE Anesthesia and Respiratory Devices

ICS-CERT Advisory (ICSMA-19-190-01)

Risk: Medium. A CVSS v3 grade of 5.3 has been calculated. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Date Discovered by CyberMDX: October 29, 2018
ICS-CERT Advisory date: July 9, 2019

Summary

CyberMDX’s research team discovered a vulnerability related to the GE Aestiva and GE Aespire devices (models 7100 and 7900). If an attacker gains access to a hospital’s network and if the GE Aestiva or GE Aespire devices are connected via terminal servers, the attacker can force the device(s) to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization. When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine. The attack could lead to:

• Unauthorized gas composition input – altering the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents.
• Manipulation of barometric pressure settings and anesthetic agent type selection.
• Remote silencing of alarms.
• Alteration of date and time settings.

This could impact the confidentiality, integrity and availability of a component of the system.

Vulnerability details

Affected devices

The vulnerability in question pertains specifically to the GE Aestive and GE Aespire machines, versions 7100 and 7900 respectively (4 combinations in total).

Attack context

Anesthesiologists will usually have strict protocols requiring them to document procedures, dosages, vital signs, and more.

This is the main reason anesthesia machines are connected to the network — reporting and documenting their status and actions. (It is in this regard that alterations to date and time settings can prove consequential — jumbling log chronology and undermining the efficacy of audit trails.)

These machines have a serial communication port and the network integration is achieved via terminal server.

Commands enabled via attack

• Gas composition input: sets concentration of inspired/expired oxygen, CO2, N2O and anesthetic agents; also capable of setting barometric pressure and selecting the anesthetic agent type. 
• Silence alarms: the machine’s alarm is designed to generate a continuous loud noise until drawing someone’s attention and having the underlying patient/device conditions attended to. (Exploiting the vulnerability in question can allow a bad actor to send commands to silence the alarm so that the noise is only briefly heard.)
• Date and time set. 

Field Testing

CyberMDX’s research team conducted several field tests with the machines in question and have successfully confirmed the vulnerability.

It should however be noted that the team only attempted the command to silence the device’s alarm, as adjustments to settings for chemical constitution and time can have complicated and potentially long-lasting consequences that were best to avoid in a real hospital environment.

Attack characteristics

Per the CVSS 3.0 vulnerability scoring rubric, the follow characteristic apply:

Attack vector: Network. This attack is over TCP.
Complexity: Low. Only requires knowledge of command conventions.
Privileges Required: None.  The machine does not require or use authentication.
User Interaction: None, this is done remotely with nothing needed on the user side.
Scope: Unchanged.
Confidentiality: None. An attacker can see the dosages and drug names being used by the patients in a room.
Availability:  Low. Muting alarms and setting time/date may affect the trustworthiness of information.

Mitigations and Recommendations

GE Healthcare plans to provide updates and additional security information about this vulnerability for affected users. Please check their website for more information. 

Credit

Elad Luz, Head of Research at CyberMDX, a Forescout Company