Risk: Medium. A CVSS v3 grade of 5.3 has been calculated. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Date Discovered by CyberMDX: October 29, 2018 ICS-CERT Advisory date: July 9, 2019
CyberMDX’s research team discovered a vulnerability related to the GE Aestiva and GE Aespire devices (models 7100 and 7900). If an attacker gains access to a hospital’s network and if the GE Aestiva or GE Aespire devices are connected via terminal servers, the attacker can force the device(s) to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization. When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine. The attack could lead to:
Unauthorized gas composition input – altering the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents.
Manipulation of barometric pressure settings and anesthetic agent type selection.
Remote silencing of alarms.
Alteration of date and time settings.
This could impact the confidentiality, integrity and availability of a component of the system.
The vulnerability in question pertains specifically to the GE Aestive and GE Aespire machines, versions 7100 and 7900 respectively (4 combinations in total).
Anesthesiologists will usually have strict protocols requiring them to document procedures, dosages, vital signs, and more.
This is the main reason anesthesia machines are connected to the network — reporting and documenting their status and actions. (It is in this regard that alterations to date and time settings can prove consequential — jumbling log chronology and undermining the efficacy of audit trails.)
These machines have a serial communication port and the network integration is achieved via terminal server.
Commands enabled via attack
Gas composition input: sets concentration of inspired/expired oxygen, CO2, N2O and anesthetic agents; also capable of setting barometric pressure and selecting the anesthetic agent type.
Silence alarms: the machine’s alarm is designed to generate a continuous loud noise until drawing someone’s attention and having the underlying patient/device conditions attended to. (Exploiting the vulnerability in question can allow a bad actor to send commands to silence the alarm so that the noise is only briefly heard.)
Date and time set.
CyberMDX’s research team conducted several field tests with the machines in question and have successfully confirmed the vulnerability.
It should however be noted that the team only attempted the command to silence the device’s alarm, as adjustments to settings for chemical constitution and time can have complicated and potentially long-lasting consequences that were best to avoid in a real hospital environment.
Attack vector: Network. This attack is over TCP. Complexity: Low. Only requires knowledge of command conventions. Privileges Required: None. The machine does not require or use authentication. User Interaction: None, this is done remotely with nothing needed on the user side. Scope: Unchanged. Confidentiality: None. An attacker can see the dosages and drug names being used by the patients in a room. Availability: Low. Muting alarms and setting time/date may affect the trustworthiness of information.
Mitigations and Recommendations
GE Healthcare plans to provide updates and additional security information about this vulnerability for affected users. Please check their website for more information.
Elad Luz, Head of Research at CyberMDX, a Forescout Company
Get the capabilities you need to build a tailored security solution for your digital terrain and continuously automate actions to reduce cyber risk.