DHS: Some GE Imaging Devices Are VulnerableAlert: Hackers Can Potentially Exploit Hardcoded and Default Credentials
A recent alert from the Department of Homeland Security warning of vulnerabilities in certain medical imaging product lines from GE Healthcare also serves as a reminder to other medical device makers and healthcare entities about the risks posed by hardcoded and default credentials.
See Also: Dynamic Detection for Dynamic Threats
In a March 13 advisory, DHS's Industrial Control Systems Cyber Emergency Response Team says independent researcher Scott Erven contacted the agency regarding the potential use of default or hardcoded credentials in certain GE Healthcare imaging products.
"Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices," the alert notes.
The risks posed by medical devices left vulnerable due to hardcoded and default passwords are substantial, says Phil Curran, chief information assurance officer and chief privacy officer at Cooper University Health Care in Camden, New Jersey. "Depending on what function the user ID/password provides within the code, the range goes from affecting how the device operates - a patient safety issue - to changing data - integrity - to complete shutdown to accessing patient information," he says.
Time to Change Passwords
Following the researcher's report about the findings, GE performed a self-assessment and validated that some imaging products use default or hard-coded credentials, ICS-CERT says. "GE has reviewed the capability to change passwords identified by the researcher within the product documentation, and users are advised to contact GE Service for assistance in changing passwords."
Among the GE Healthcare devices included in the ICS-CERT advisory are various imaging systems in the company's Optima, Discovery, Revolution, Centricity, THUNIS, eNTEGRA, CADStream, GEMNet, Infinia, Millenium, Precision MP/i, and Xeleris product families.
ICS-CERT notes in the advisory that according to GE, the affected products are deployed across the healthcare sector worldwide. But some of the products included on the list, such as the Optima 680, the Image Vault 3.x, and the THUNIS-800+, have very limited or no use in the U.S. or Canada, ICS-CERT notes.
In a statement provided to ISMG, GE Healthcare says it is "aware of the recent ... ICS-CERT advisory, which provides an update from a previously published US-CERT bulletin that addresses the use of default credentials in certain products. We are working closely with customers to implement best practices for security and supporting requests for assistance in changing passwords."
Medical device cybersecurity researcher Billy Rios tells ISMG: "Hardcoded passwords are a huge problem in healthcare cybersecurity."
In fact, it was the discovery by Rios and a fellow researcher, Terry McCorkle of security vendor Cylance, of 300 hardcoded passwords in medical devices from 40 vendors several years ago that served as a catalyst for the Food and Drug Administration to issue pre-market guidance to medical device manufacturers in 2013, Rios notes (see Medical Device Vulnerability Alert Issued).
At the same time ICS-CERT issued an alert about the discovery by Rios and McCorkle about the medical device hardcoded passwords, the FDA also issued draft guidance recommending that manufacturers design and build cybersecurity into their medical devices (see FDA Drafts Medical Device Guidance).
"We've already witnessed malware like the Mirai botnet utilizing default passwords in devices to exploit them; it's only a matter of time before a similar strategy is used for medical devices," Rios tells ISMG.
"In most cases, these passwords are used by service technicians to service medical devices," he says. To address the problem, "hospitals can take the research provided by [Erven] and use that data to disable the interfaces associated with the technical interfaces," Rios says. "If the device needs to be serviced, hospitals can enable the technician interface during service activity and disable the interface when the service activity is completed."
ICS-CERT, in its advisory about the GE Healthcare devices, notes that the manufacturer has produced product updates that are available upon request; they replace default or hardcoded credentials with custom credentials for all but three of the affected products. GE's product updates are not available for the Optima 680, Revolution XQ/i, and THUNIS-800+ systems, ICS-CERT notes.
The agency also notes that users of the impacted imaging equipment can take additional defensive measures to minimize the risk of exploitation of this vulnerability. Those steps include:
- Close all unused ports on affected systems;
- Discontinue or limit the use of third-party software, such as email and web browser software, on the affected system, because it could broaden the attack surface of medical devices;
- Ensure that affected systems have applied the most current vendor-issued patches available;
- Restrict network access to affected systems and ensure they are not directly accessible from the internet;
- Follow best network design practices, such as implementing network segmentation, using network perimeters with properly configured firewalls to selectively control, and monitoring all traffic passed between zones and systems;
- Monitor and log all network traffic attempting to reach affected products for suspicious activity;
- When remote access is required, use secure methods such as virtual private networks, but recognize that VPNs may have vulnerabilities and should be updated to the most current version.
The problem with hardcoded and default passwords isn't limited to medical devices, Curran says. "This is not just a medical device issue; I have seen hardcoded user IDs and passwords in other code as well," he notes.
"The steps we can take are not new to us. Malicious users can access through physical access or unauthorized logical access by targeting a vulnerability on the device itself," he says. Organizations can manage physical access, he notes, by only allowing access to the devices to authorized individuals - for example, by escorting patients and locking doors. Institutions can also manage unauthorized logical access by keeping all their devices - including medical devices - patched and segmenting vulnerable devices.
Patching medical devices, however, continues to be a challenge, especially for devices using out-of-date software, he acknowledges. "But we need to pressure our vendors to ensure patient safety by keeping their systems patched," he adds.
In a statement, the FDA tells ISMG that the agency was made aware of the cybersecurity vulnerabilities identified in GE's devices during "the coordinated disclosure process" used by the medical device manufacturer and the independent researcher.
"The FDA encourages medical device manufacturers and researchers to work collaboratively to address cybersecurity vulnerabilities in a way that best protects patients."
Best practices for coordinated disclosure are outlined in FDA final guidance issued in 2016 for post market management of cybersecurity in medical devices, the FDA tells ISMG.
"The FDA encourages medical device manufacturers and researchers to work collaboratively to address cybersecurity vulnerabilities in a way that best protects patients," the statement says.