Security researchers have discovered vulnerabilities in two models of hospital anesthesia machines manufactured by General Electric (GE).
The two devices found to be vulnerable are GE Aestiva and GE Aespire — models 7100 and 7900. According to researchers from CyberMDX, a healthcare cybersecurity firm, the vulnerabilityies reside in the two devices’ firmware.
Researchers: Flaws can put patients at risk
CyberMDX said attackers on the same network as the devices — a hospital’s network — can send remote commands that can alter devices’ settings.
“There is simply a lack of authentication,” a CyberMDX researcher told ZDNet in an email today, detailing the exact nature of the security flaws.
“The mentioned commands are supported by design,” he added. “Some of them are only supported on an earlier version of the protocol, however there is another command that allows changing the protocol version (for backward compatibility). After sending a command to change the protocol version to an earlier one, an attacker can send all other commands.”
The researcher claims the commands can be used to make unauthorized adjustments to the anesthetic machines’ gas composition, such as modifying the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the gas’ barometric pressure.
CyberMDX said that such unauthorized modifications could put patients at risk. Furthermore, attackers could also silence device alarms for low/high levels of various agents and modify timestamps inside logs.
“The potential for manipulating alarms and gas compositions is obviously troubling,” said Elad Luz, Head of Research at CyberMDX. “More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in a surgery.”
“Anesthesiology is a complicated science and each patient may react differently to treatment. As such, anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more.
“The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails.
“That’s a very serious problem for any medical center,” said Luz.
In addition, the attacks are relatively simple to pull off, once the attacker has gained access to a hospital’s network — most of which are known to run insecure and outdated software.
GE downplays vulnerabilities, recommends not networking devices
CyberMDX told ZDNet that they reported the flaws to GE in October 2018. GE decided against issuing patches but the company will be publishing mitigation recommendations on their website.
In an email to ZDNet, GE detailed these mitigations. The vendor said the vulnerabilities can be avoided if the anesthesia machines aren’t connected to a hospital’s network, as the actual security flaws are only found in the communications protocols used when the devices’ serial port (e.g. USB) is connected to a TCP/IP network through a terminal server device. If the anesthesia machines aren’t connected to a hospital network, they can’t be exploited, even if the hacker has access to a hospital’s network.
But in case anesthesia machines need to be connected to a central management systems, GE said that secure terminal servers should be used, without specifying what these are, or what requirements the secure terminal servers must meet.
Furthermore, the vendor said the ability to modify gas composition parameters is no longer present on systems sold after 2009, and shouldn’t pose a threat unless hospitals are using very old GE Aestiva and GE Aespire machines.
The Department of Homeland Security’s ICS-CERT team, who helped CyberMDX in contacting GE’s healthcare division, will publish later today a security alert with instructions on how hospitals and other medical centers can secure impacted anesthesia machines. We were told GE plans to publish similar information on its website, at this URL. The CyberMDX report detailing GE Aestiva and Aespire vulnerabilities is available here.
More vulnerability reports: