Specialists of the CyberMDX research group revealed a vulnerability in the firmware of a number of models of anesthesiology stations manufactured by General Electric (GE).
Using this vulnerability, attackers can remotely change device settings up to the parameters of the supply of supplied to patient’s gas.These are the GE Aestiva and GE Aespire devices (models 7100 and 7900). Taking advantage of the vulnerability (CVE-2019-10966), attackers can forcibly roll back the version of the communication protocol used by the device to a less secure and remotely send commands over the local network.
“Anesthesiologists will usually have strict protocols requiring them to document procedures, dosages, vital signs, and more. This is the main reason anesthesia machines are connected to the network — reporting and documenting their status and actions”, — noted CyberMDX specialists.
For a successful attack, the hacker must be in the same network as the device, and he does not need any special rights. In addition, if the system is connected to a terminal server, knowledge of the IP address is also optional.
Read also: Over 10 million users became victims to a fraudulent app for Samsung firmware updates
This attack allows not only to regulate the composition of the respiratory gas mixture, but also to turn off alerts, change the time and date, as well as barometric pressure. Its implementation does not require user interaction or authorization on the device.
According to researchers from the company CyberMDX, the manufacturer was informed about the problem in October last year.
“This vulnerability does not pose an immediate danger to patients”, – said representatives of General Electric.
In the future, the company intends to issue corrective patches, but for now has proposed a number of measures to prevent the exploitation of the vulnerability, including the use of secure terminal servers when connecting anesthetic machines to the network.
