GE Ultrasound Gear Riddled With Bugs, Open to Ransomware & Data Theft

  /     /     /  
Publicated : 23/11/2024   Category : security


GE Ultrasound Gear Riddled With Bugs, Open to Ransomware & Data Theft


Thankfully, GE ultrasounds arent Internet-facing. Exploiting most of the bugs to cause serious damage to patients would require physical device access.



Researchers have discovered 11 security vulnerabilities in GE HealthCares Vivid Ultrasound family of products, as well as two related software programs.
The issues are varied, and include missing encryption of sensitive data, use of hardcoded credentials, and more. They range in severity from 5.7 to 9.6 on the CVSS 3.1 scoring system.
As Nozomi Networks
explained in its report
, the bugs could lead to remote code execution (RCE) with full privileges and any number of attack scenarios such powers would entail. However, the most serious case scenarios also require physical access to the devices in question, massively reducing the potential risk for healthcare facilities.
However, even when talking about vulnerabilities that indeed require physical access for being exploited, we believe that the likelihood of an attack is far from being negligible, warns Andrea Palanca, senior security researcher with Nozomi Networks. As a matter of fact,ultrasound machines are used in hospitals and clinics that are frequently accessed by external individuals, and our research showed that just one minute of physical access is sufficient to execute an attack.So, we feel that not only malicious insiders, but also outsiders may have chances to accomplish the attack.
In the course of their study, Nozomis researchers analyzed three GE creations: the Vivid T9 ultrasound system, designed primarily for cardiac imaging; its pre-installed Common Service Desktop Web application, used for various administrative purposes; and the EchoPAC clinical software package, which doctors use to review and analyze ultrasound images.
In some ways, GEs ultrasounds are built to
prevent users from causing security issues
. For example, the Common Service Desktop Web app is exposed only on the localhost interface of a device, preventing long-distance tampering. This is important, as the software is used by administrators to do such things as change passwords and gather logs.
Other secure design elements didnt hold up so well, however.
The Vivid T9 is essentially a complete PC running a GE-customized version of Windows 10. To focus its use in healthcare settings, most of the device logic is handled by applications and scripts running on it. Its graphical user interface (GUI), for example, restricts users from accessing the underlying operating system functionalities, with a few exceptions.
However, thanks to an old bug in the system — CVE-2020-6977, a CVSS 8.4-rated kiosk breakout vulnerability — researchers were able to bypass the GUI to reach into the PC and obtain administrative privileges. Then, using CVE-2024-1628, an 8.4-severity command injection issue in Common Service Desktop, they were able to perform arbitrary code execution, dropping ransomware that froze the machine.
Exploiting EchoPAC proved even simpler, provided the programs Share feature was enabled. With a connection to a doctors workstation, an attacker can abuse hardcoded credentials — CVE-2024-27107, critical 9.6 CVSS — to access its live database server instance. There, they can read, edit, and steal patient data.
The catch is that, unlike with
Internet of Things (IoT)-connected medical devices
, exploiting a T9 and Common Service Desktop requires that a
malicious insider
have physical access to the devices embedded keyboard and trackpad. (EchoPAC, meanwhile, is easier to break into, requiring only a foothold in the local area network and no other credentials whatsoever.)
This is good news for healthcare facilities, but theres a slight caveat. An attacker could avoid all the necessary clicking and typing by instead plugging a malicious drive into the T9s exposed USB port. In its experiments, Nozomi demonstrated how a specially crafted drive could compromise a T9 in only a minutes time.
We hope that our findings inspire more and more vendors to adopt stronger security measures as early as possible, given the significant impacts that the exploitation of these vulnerabilities may cause, and that we practically demonstrated, says Palanca.
Patches and mitigations for all 11 vulnerabilities are available at GE HealthCares
product security portal
.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GE Ultrasound Gear Riddled With Bugs, Open to Ransomware & Data Theft