- The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an advisory May 8 warning about cybersecurity vulnerabilities in wireless medical equipment made by Silex Technology and GE Healthcare.
The vulnerabilities—improper authentication and OS command injection—could enable an attacker to gain control of the equipment remotely.
The equipment under scrutiny is the Silex SX-500 and SD-320A wireless serial device servers and the GE Healthcare MobileLink, which is a wireless electrocardiogram (ECG) communication product that helps users capture, transmit, and analyze patients’ ECG information.
Regarding the improper authentication vulnerability, the advisory said that “authentication is not verified when making certain POST requests, which may allow attackers to modify system settings.”
The advisory said about the OS command injection vulnerability that a “system call parameter is not properly sanitized, which may allow remote code execution.”
Remote code execution is one of the most dangerous vulnerabilities because it allows an attack to execute any command on a target machine without needing physical access to the machine.
ICS-CERT said that Eric Evenchick with Atredis Partners reported the vulnerabilities to Silex and GE and tested pre-release firmware and other mitigations confirming they resolved the vulnerabilities.
The following Silex products are affected: GEH-500 version 1.54 and prior (integrated into GE MobileLink), SX-500 all versions (end of life 2011), GEH-SD-320AN version GEH-1.1 and prior (integrated into GE MobileLink), and SD-320AN version 2.01 and prior (end of life Nov 2017).
The following models of GE MAC resting ECG analysis system may use the vulnerable MobileLink technology: MAC 3500, MAC 5000 (end of life 2012), MAC 5500, and MAC 5500 HD. GE Healthcare said its resting ECG system portfolio is designed to help improve clinical accuracy and connect users to advanced data analysis tools.
MobileLink enables wireless communication between the MAC 5500/5000 ECG analysis system and the GE Healthcare MUSE ECG management system, as well as the hospital information system.
Silex Technologies and GE Healthcare recommended that users deploy the following mitigations:
For the improper authentication vulnerability in GE MobileLink/SX-500, users should enable the “update” account within the web interface, which is not enabled by default, and set the secondary password for the “update” account to prevent unauthenticated changes to the device configuration.
For the OS command injection vulnerability in GE MobileLink/GEH-SD-320AN, the two companies have produced an updated firmware image, which will be available for download from GE Healthcare by May 31, 2018.
GE Healthcare will post information about enabling the “update” account and download of new firmware at: http://www3.gehealthcare.com/en/support/security
The firmware update for SD-320AN is separate from the one for GEH-SD-320AN and will be available for download from Silex at an unspecified future date. This update does not pertain to the listed GEH device. Users are directed to contact Silex for more information regarding download and application of this new firmware.
In the ICS-CERT advisory, the National Cybersecurity and Communications Integration Center (NCCIC) advised users to take the following defensive measures to minimize the risk of exploitation of these vulnerabilities:
• Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the internet
• Locate control system networks and remote devices behind firewalls and isolate them from the business network
• Use secure methods, such as virtual private networks, when remote access is required
Organizations should conduct an impact analysis and risk assessment prior to deploying defensive measures, according to NCCIC.
In March, ICS-CERT warned about hard-coded credential vulnerabilities in a range of GE Healthcare medical imaging software, systems, and workstations. Researcher Scott Erven discovered GE Healthcare’s use of the hard-coded credentials, which increase the risk that attackers could guess the password to access the systems.
As part of its recently announced medical device safety action plan, the Food and Drug Administration (FDA) is seeking additional authority and funding from Congress to expand its efforts to improve medical device safety, including reducing cybersecurity vulnerabilities in devices.