The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued warnings regarding the vulnerabilities in some medical devices produced by GE Healthcare, Phillips and Silex. If hackers and unauthorized persons will exploit the vulnerabilities, they could control the devices.
Phillips informed the National Cybersecurity and Communications Integration Center (NCCIC) that its Brilliance CT scanners have security vulnerabilities. To reduce the risk that users may possibly experience, Phillips solicited the help of DHS to alert users while the company is still working to fix the vulnerabilities. To date, no report has been received concerning the exploitation of vulnerabilities of the devices.
Phillips discovered three vulnerabilities in the following Brilliance scanners:
- Brilliance 64 version 2.6.2 and below
- Brilliance iCT versions 4.1.6 and below
- Brillance iCT SP versions 3.2.4 and below
- Brilliance CT Big Bore 2.3.5 and below
The Brilliance CT scanners work by operating user functions contained in a kiosk environment in the Windows OS. Two of the three vulnerabilities discovered – CVE-2018-8861 and CVE-2018-8861- exploit the kiosk environment allowing unauthorized attackers or kiosk access users to gain elevated privileges and access restricted resources and information in the OS. The third vulnerability – CVE-2018-8857 – has something to do with credentials necessary for inbound authentication and outbound communication, which when compromised will allow unauthorized persons to access the system.
In order to exploit the vulnerabilities, the attacker must have local access to the kiosk environment of the Brilliance scanner. Any user with low level skill is capable of exploiting the vulnerability, then execute commands using elevated privileges and access restricted resources in the system. Even if these vulnerabilities are regarded as low-risk, Phillips had to issue an alert to users regarding the risk as stipulated in its disclosure policy. Phillips reminds users to follow the specifications provided when using Brilliance CT products, such as the use of software approved by Phillips and the security configurations.
There are two vulnerabilities – CVE-2018-6020 and CVE-2018-6021 – that affect Silex Technology and GE Healthcare MobileLink technology. These products are affected by one or both vulnerabilities:
- GEH-500 (V 1.54 and earlier), SX-500 (all versions), GEH-SD-320AN (V GEH-1.1 and earlier), and SD-320AN (V 2.01 and earlier).
- GE MAC Resting ECG analysis systems that use MobileLink Technology: MAC 3500, MAC 5000 (E.O.L 2012), MAC 5500 and MAC 5500 HD.
Attackers with low level skills can exploit the two vulnerabilities and can modify system settings remotely. Silex and GE Healthcare recommends the following actions to mitigate the risk:
For CVE-2018-6020 – users should update the account using the web interface and set a secondary password to prevent anyone from changing the device configuration.
For CVE-2018-6021 – users should download the updated firmware that will resolve the vulnerability on May 31,2018 or as soon as the testing is complete.
NCCIC also recommended some tips to mitigate the vulnerabilities. Minimize internet exposure of control system devices. It is best to place them behind a firewall. If remote access is really necessary, use a VPN. Users are also advised to do a risk analysis before attempting to do any action.