Vulnerability in Anesthesia Machines allows adjusting composition of gas mixture

• The vulnerability impacts GE Aestiva and GE Aespire anesthesia systems versions 7100 and 7900.
• The vulnerability allows adjusting the composition of the anesthetic gas mixture, suppressing alarms, changing the time and date on the system, and changing the barometric pressure.

Elad Luz, Head of Research at CyberMDX uncovered a vulnerability in the firmware of some anesthesia machines from GE Healthcare that could allow an attacker to alter the level of anesthesia gas mixture.

What is the impact?

The vulnerability impacts GE Aestiva and GE Aespire anesthesia systems versions 7100 and 7900.

• The vulnerability could allow an attacker to enable a vulnerable anesthesia device into using a less secure version of the communication protocol it uses.
• This downgrade attack allows adjusting the composition of the anesthetic gas mixture, suppressing alarms, changing the time and date on the system, and changing the barometric pressure.

The composition level of anesthetic substances may differ from one patient to another depending on their medical conditions. This composition level is managed by procedures and protocols that ensure the correct dosage for each individual. However, the vulnerability allows an attacker to enable the device into using a less secure version of the protocols.

A change in the concentration of the anesthetic gas may have a negative impact on the patient. Similarly, a change in the time and date settings also alters trust in an audit's conclusion.

“Adjustments to settings for chemical constitution and time can have complicated and potentially long-lasting consequences that were best to avoid in a real hospital environment,” CyberMDX said in a report.

Worth noting

The researcher noted that the attack is possible without the need for authentication and special privileges. The attack does not require user interaction and the attacker need not be on the same network as the vulnerable machines.

What was the response?

Upon learning about the vulnerability, GE Healthcare conducted an internal investigation and determined that the vulnerabilities exist via certain insufficiently secured terminal server implementations that allow potential ability to modify gas composition parameters, device time, and silence alarms.

“The potential ability to remotely modify GE Healthcare anesthesia device parameters is an effect resulting from a configuration exposure through certain insufficiently secured terminal server implementations that extend GE Healthcare anesthesia device serial ports to TCP/IP networks,” GE Healthcare said.

Further, the healthcare organization recommends hospitals to use secure terminal servers when connecting GE Healthcare anesthesia device serial ports to TCP/IP networks.

The department of Homeland Security, through ICS-CERT, published an advisory about the vulnerability and provided a few recommendations to mitigate the risk. This includes:

• Minimizing network exposure for all medical devices;
• Locating medical devices behind firewalls and isolating them where possible;
• Restricting unauthorized access;
• Applying defense-in-depth strategies; and
• Disabling any unnecessary accounts, protocols, and services.