Over 100 device models from GE Healthcare that are used primarily for radiological and imaging purposes in hospitals and other healthcare facilities can easily be compromised by hackers because of default support credentials that are publicly known but can't be changed easily by users. This insecure implementation of remote management functionality allows hackers to access sensitive data stored on the impacted devices as well as infect them with malicious code that would be very hard to detect.
Healthcare organizations have increasingly been targeted by cybercriminals groups this year, particularly those distributing ransomware. At least three US government agencies—the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Homeland Security (DHS)—jointly issued an alert, warning that groups like TrickBot, Ryuk and Conti pose an imminent threat to US hospitals and healthcare providers. Vulnerabilities like the one found in GE Healthcare devices can enhance those attacks giving hackers access to critical devices that organizations can't afford to be offline.
Insecure device maintenance
The problem stems from the remote maintenance and update procedures implemented for many GE devices that include CT, PET, molecular imaging, MRI, mammography, X-Ray and UltraSound devices. According to researchers from IoT security firm CyberMDX who reported the issue, over 100 device models, also known as modalities, across many product lines are affected. These include devices branded as Brivo, Definium, Discovery, Innova, Optima, Odyssey, PetTrace, Precision, Seno, Revolution, Ventri and Xeleris.
Imaging modalities typically have an integrated computer running a UNIX-based operating system, as well as specialized software from GE. Periodically, GE servers access these devices over various protocols including FTP, SSH, Telnet and REXEC to update software, pull logs, execute commands and perform other maintenance procedures.
These services usually listen to the local network, and GE has a tunnel inside those networks from the internet, through a VPN or some other technology, that was set up during deployment, Elad Luz, the head of research at CyberMDX, tells CSO. "The GE servers are initiating the connection into those stations over the hospital network and the whole procedure is automated."
The problem, however, is that the maintenance mechanism does not include any check to ensure that only the GE servers can talk to the device, meaning that any computer on the same network can potentially access those ports. There is authentication, but it's done with default credentials that are shared by multiple products and which can be found on online forums or inside publicly available manuals.
The problem is that customers can't change those credentials themselves without breaking the automated maintenance procedures performed by GE. This means that mitigating this problem requires contacting the GE Healthcare support team and asking them to change the credentials. Another recommendation is to implement an access policy through firewall rules that only allow connections on those ports from authorized local IP addresses, like those of the network tunnels used by GE.
CyberMDX reported the issue, which is rated critical with a CVSS score of 9.8, to GE Healthcare, which analyzed its entire product line to identify affected products and started working on patches. CISA has also been notified and will release an advisory today.
Outdated security assumptions vs modern threats
The use of hard-coded credentials and hidden support accounts has been common practice among manufacturers of embedded and specialized devices for many years. Device makers didn't view this as a vulnerability because the assumption was that local networks are trusted by default and it's the customers' responsibility to secure them. Of course, modern attackers take advantage of such outdated thinking and this is why enterprises are moving toward zero-trust network architecture principles where devices are not implicitly trusted based on their network location.
Some of the most damaging and effective ransomware gangs such as Ryuk are known for their reliance on manual hacking techniques and extensive lateral movement inside local networks. The goal of such groups is to compromise not just a few computers, but the entire network so they can deploy ransomware at once on as many systems as possible, including critical servers and devices. Many ransomware gangs now also exfiltrate sensitive data from organizations and threaten to release it or auction it online if ransoms are not paid. Another increasingly common technique is to launch distributed denial-of-service (DDoS) attacks against ransomware victims to cause further disruption of services and force their hand.
In healthcare organizations, imaging devices are interconnected with many other systems, including archive servers and workstations used by medical staff and radiology specialists. By taking advantage of poorly implemented authentication, attackers can gain access to a trove of sensitive patient data. Furthermore, since these devices don't have antivirus programs or other endpoint security solutions running on them, attackers can compromise them and use them as a persistent foothold inside organizations. IT staff can't easily replace or reimage such devices in the aftermath of a cyberattack, and they're rarely checked as part of normal incident response procedures.
Disrupting the operation of such devices, either by malicious attackers or inspecting and cleaning them of malicious code, could result in patients being diverted to other facilities. Earlier this year the first ransomware-related death was reported in Germany, when a patient with a life threatening condition had to be diverted to another hospital because the one closest to them was shut down following a ransomware attack.
Assuming that hospital networks are safe when engineering medical devices is wrong because that's not true at all, Luz says. Hospitals are public places with a lot of people accessing the wireless network or potentially gaining access to physical Ethernet ports, with doctors exchanging emails and browsing the web, with patients bringing in their scans and medical records from external sources on various storage devices, and so on. There's a lot of communication and data sharing, and as much as you'd like those networks to have high security hygiene and be isolated, they do not, he says.