According to GE Healthcare, that means that the bug (CVE-2019-10966) could allow an attacker to impair respirator functionality in GE Aestiva and Aespire Versions 7100 and 7900, theoretically changing the composition of aspirated gases – while also silencing alarms and altering time and date records.
That sounds bad on the surface, but GE Healthcare said that cybercriminals wouldn’t be able to actually cause any danger to a patient given that these devices are never used without human oversight.
“Anesthesia devices are qualified as an attended device, and device location is where primary control is maintained by the physician,” it explained in a website posting this week. “While an alarm could potentially be silenced via the insufficiently secured terminal server TCP/IP connection to the GE Healthcare anesthesia device, both audible annunciation of the alarm, and visual signaling of the alarm are presented to the attending clinician at the GE Healthcare anesthesia device interface.”
Deral Heiland, IoT research lead at Rapid7, said that the assessment of no patient danger should not make the find any less alarming.
“GE’s response of …. determining no risk to patients makes me wonder what level of control can be conducted over the network against the anesthesia and respiratory machines,” he said via email. “My first thought is, if the device can accept commands over the network without authentication, then that would be a critical risk. Either way, medical facilities should always maintain segmentation of their critical-care networks from exposure and this we help mitigate many known and unknown risks.”
The flaw, reported by Elad Luz of CyberMDX to NCCIC, exists thanks to the configuration exposure of certain terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks. It affects models sold before 2009, which may have employed an external gas monitor.
“A vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms,” ICS-CERT said in an advisory posted this week.
While there isn’t a patch, GE Healthcare issued a recommendation that organizations use secure terminal servers when connecting device serial ports to TCP/IP networks. “Secure terminal servers provide robust security features, including strong encryption, VPN, authentication of users, network controls, logging, audit capability and secure device configuration and management options,” according to the advisory.
“One of the best solutions to mitigate potential exposure like this is for medical facilities to segment their critical-care networks from business networks, not allowing the two to communicate with each other, nor allowing Internet access from the critical-care networks,” Heiland said. “Following this practice will help reduce risk and impact of attacks, malware and virus infection within critical-support medical technology.”