ICS-CERT has Issued an Advisory about a Medium Severity Vulnerability found in GE Aestiva and Aespire Devices
NEW YORK, July 9, 2019 /PRNewswire/ -- A cyber vulnerability has been discovered in hospital anesthesia machines, the US Department of Homeland Security's Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT) disclosed today. The vulnerability, discovered by healthcare cybersecurity provider CyberMDX, could allow an attacker to impair respirator functionality, changing the composition of aspirated gases — silencing alarms, and altering time/date records.
The CyberMDX research team found this vulnerability in the protocol of GE Aestiva and GE Aespire devices (models 7100 and 7900). Through the vulnerability, remote commands can be sent to interfere with the normal working order of the device.
If a malicious attacker can gain access to a hospital's network and if the GE Aestiva and GE Aespire Devices are connected to a terminal server, the attacker can hack the devices without any prior knowledge of IP addresses or location of the machines. The attack could lead to unauthorized gas composition adjustments (altering the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents), barometric pressure and anesthetic agent manipulations, alarm silencing, and out-of-process changes to date and time settings. If exploited, this vulnerability could directly impact the integrity, confidentiality, and availability of device components, while placing the patient at risk.
The vulnerability was given a CVSS value of 5.3 (reflecting moderate severity) in the ICS-CERT Advisory (ICSMA-19-190-01). The full report can be found at https://www.us-cert.gov/ics/advisories/icsma-19-190-01.
"The potential for manipulating alarms and gas compositions is obviously troubling. More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in surgery. Anesthesiology is a complicated science and each patient may react differently to treatment. As such, Anesthesiologists must follow stringent protocols for documenting and reporting procedures, dosages, vital signs, and more. The ability to automatically and accurately capture these details is one of the main reasons why respirators are connected to the network to begin with. Once the integrity of time and date settings has been compromised, you no longer have reliable audit trails. That's a very serious problem for any medical center," said Elad Luz, Head of Research at CyberMDX.
More information on the vulnerability can be found on the CyberMDX website.
About CyberMDX's Cybersecurity Research & Analysis Team
CyberMDX's research and analyst team regularly works with medical device organizations in the responsible disclosure of security vulnerabilities. The threat intelligence team works tirelessly to help protect hospitals and healthcare organizations from malicious attacks. The team's researchers, white hat hackers, and engineers collect information about possible attack paths to understand attacker motives, means, and methods in an effort to deliver the best protection possible.
CyberMDX is a pioneer in medical cybersecurity, with an IoMT solution that delivers visibility and threat prevention for medical devices and clinical assets. CyberMDX identifies, categorizes and protects connected medical devices — ensuring resiliency as well as patient safety and data privacy. With CyberMDX's continuous endpoint discovery & mapping, comprehensive risk assessment, AI-powered containment & response, and operational analytics, risks are easily mitigated and assets optimized. For more information, please visit us at www.cybermdx.com
VP Marking CyberMDX