GE puts default password in radiology devices, leaving healthcare networks exposed

Photograph of a complicated, intimidating medical device.

Dozens of radiology products from GE Healthcare contain a critical vulnerability that threatens the networks of hospitals and other health providers that use the devices, officials from the US government and a private security firm said on Tuesday.

The devices—used for CT scans, MRIs, X-Rays, mammograms, ultrasounds, and positron emission tomography—use a default password to receive regular maintenance. The passwords are available to anyone who knows where on the Internet to look. A lack of proper access restrictions allows the devices to connect to malicious servers rather than only those designated by GE Healthcare. Attackers can exploit these shortcomings by abusing the maintenance protocols to access the devices. From there, the attackers can execute malicious code or view or modify patient data stored on the device or the hospital or healthcare provider servers.

Aggravating matters, customers can’t fix the vulnerability themselves. Instead, they must request that the GE Healthcare support team change the credentials. Customers who don’t make such a request will continue to rely on the default password. Eventually, the device manufacturer will provide patches and additional information.

The flaw has a CVSS severity rating of 9.8 out of 10 because of the impact of the vulnerability combined with the ease of exploiting it. Security firm CyberMDX discovered the vulnerability and privately reported it to the manufacturer in May. The US Cyber Security and Infrastructure Security Agency is advising affected healthcare providers to take mitigation steps as soon as possible.

In a statement, GE Healthcare officials wrote:

We are not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation. We have conducted a full risk assessment and concluded that there is no patient safety concern. Maintaining the safety, quality, and security of our devices is our highest priority.

We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall. Additionally, we are advising the facilities where these devices are located to follow network management and security best practices.

Affected devices include:

  • Advantage Workstation & Server
  • Optima
  • Innova
  • LightSpeed Pro 16
  • LightSpeed RT 16
  • BrightSpeed, Discovery and Optima
  • Revolution EVO
  • Revolution Frontier
  • Discovery IQ
  • Odyssey
  • Discovery
  • Xeleris
  • SIGNA HD/HDxT 3.0T
  • Bravo 355/Optima 360
  • Seno 2000D, DS, Essential
  • Senographe Pristina
  • Definium, Brivo, and Discovery
  • Logiq
  • Voluson

The devices contain an integrated computer that runs a Unix-based operating system. Proprietary software that runs on top of the OS perform various management tasks, including maintenance and updates performed by GE Healthcare over the Internet. The maintenance requires the machines to have various services turned on and Internet ports open. Services and ports include:

  • FTP (port 21)—used by the modality to obtain executable files from the maintenance server
  • SSH (port 22)
  • Telnet (port 23)—used by the maintenance server to run shell commands on the device.
  • REXEC (port 512)—used by the maintenance server to run shell commands on the device.

CyberMDX said device users should implement network policies that restrict the ports to listening mode only for device connections.

https://arstechnica.com/?p=1728265