Researchers have uncovered a significant security flaw within GE HealthCare’s Vivid Ultrasound family of products, along with two associated software programs, which could potentially expose sensitive data to malicious actors. This revelation comes as a cause for concern, considering the severity of the vulnerabilities ranging from 5.7 to 9.6 on the CVSS 3.1 scoring system.
Nozomi Networks, in their detailed report on the matter, highlighted the potential risks associated with these vulnerabilities, which could enable remote code execution with full privileges. While some of the worst-case scenarios require physical access to the devices, it still poses a considerable threat to healthcare facilities. Andrea Palanca, a senior security researcher at Nozomi Networks, emphasized that the likelihood of an attack, even with physical access, should not be underestimated, as ultrasound machines are frequently accessed by external individuals in hospital settings.
The research conducted by Nozomi Networks focused on analyzing three crucial GE products: the Vivid T9 ultrasound system primarily used for cardiac imaging, the Common Service Desktop Web application for administrative tasks, and the EchoPAC clinical software for reviewing and analyzing ultrasound images. While GE’s ultrasounds incorporate certain security measures to prevent breaches, some design elements fell short of providing robust protection.
For instance, the Vivid T9, resembling a full-fledged PC running a customized version of Windows 10, was susceptible to exploitation due to an old bug that allowed researchers to bypass the graphical user interface and gain administrative privileges. This, coupled with a command injection vulnerability in the Common Service Desktop, enabled arbitrary code execution and the deployment of ransomware. Similarly, exploiting EchoPAC was relatively straightforward if the “Share” feature was enabled, granting unauthorized access to patient data.
The silver lining in this situation is that exploiting the vulnerabilities in the Vivid T9 and Common Service Desktop requires physical access to the device, limiting the scope of potential attacks to malicious insiders. On the other hand, EchoPAC presents a more accessible target within the local area network. Nonetheless, the researchers demonstrated how a malicious drive inserted into the T9’s USB port could compromise the device within minutes, emphasizing the need for enhanced security measures across all healthcare devices.
In response to these findings, GE HealthCare has made patches and mitigations available for all 11 vulnerabilities through its product security portal. This proactive approach aims to address the identified risks and safeguard healthcare facilities from potential cyber threats. Moving forward, it becomes imperative for vendors to prioritize stringent security protocols to mitigate vulnerabilities that could have far-reaching consequences if exploited by threat actors.