What you need to know about the latest Philips, Silex and GE hack vulnerabilities
May 17, 2018
by Thomas Dworetzky, Contributing Reporter
The U.S. Department of Homeland Security ICS-CERT has issued cyber vulnerability advisories for the Philips Brilliance CT system, and the Silex Technology SX-500/SD-320AN and GE Healthcare MobileLink.
Many of the weak spots are familiar, involving relatively low-level skills that could let a hacker change his or her privileges to an elevated user level, enabling access to other parts of the system – even possibly gaining entry to the larger network using hard-coded credentials for authentication.
Philips had been working on the issue, which it said in its statement involved the following systems:
• Brilliance 64 version 2.6.2 and below
• Brilliance iCT versions 4.1.6 and below
• Brillance iCT SP versions 3.2.4 and below
• Brilliance CT Big Bore 2.3.5 and below.
Philips confirmed the flaw, advising that the vulnerability is not exploitable remotely, noting that “an attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit.”
So far, there are no reports of a hack using this vulnerability in the real world.
It has also fixed the hardcoded credentials vulnerabilities “for all Brilliance iCT 4.x and above versions,” it stated.
Going forward, the company advises that users set products up “within specifications,” especially software and security settings.
It also suggested more broadly that sites “implement a comprehensive, multilayered strategy to protect their systems from internal and external security threats, including restricting physical access of the scanner to only authorized personnel.”
The second Homeland advisory concerned the Silex Technology SX-500/SD-320AN and GE Healthcare MobileLink.
Again, hacking skill level required is low, but in this case the hack can be done remotely.
One flaw would let unauthorized hackers change system settings, due to a problem of verification in the software. Another flaw is the way memory is “cleaned” that could permit code to be planted by a hacker and then executed.
After researcher Eric Evenchick of Atredis Partners brought these problems to the attention of the companies, the vulnerabilities were fixed, he reported to Homeland.
Updates are available with these fixes and Silex Technologies and GE Healthcare recommend the following steps be taken by their users:
-CVE-2018-6020 (GE MobileLink/SX-500) – Enable the “update” account within the web interface, which is not enabled by default. Set the secondary password for the “update” account to prevent unauthenticated changes to the device configuration.
-CVE-2018-6021 (GE MobileLink/GEH-SD-320AN) – Silex Technology and GE Healthcare have made updated firmware for the GEH-SD-320AN, which will be available May 31, 2018, for download.
These flaws are cropping up with more frequency as devices become evermore connected in healthcare settings.
In March, ICS-CERT issued hacking warnings for Philips iSite and IntelliSpace PACS medical imaging archiving communications systems and the Alice 6 polysomnography system, citing hacking weaknesses that are “predominantly in third-party components,” the agency stated, adding that “Philips is providing users a number of potential options to remediate these identified vulnerabilities.”
Also in March, another alert warned of default or hardcoded password issues that could impact a number of GE Healthcare devices, including its Optima, Discovery, Revolution, Centricity, THUNIS, eNTEGRA, CADStream, GEMNet, Infinia, Millenium, Precision MP/i, and Xeleris.
At that time GE reviewed “the capability to change passwords identified by the researcher within the product documentation", according to the ICS-CERT alert, "and users are advised to contact GE Service for assistance in changing passwords."
That advisory also noted that there are some updates from GE to address the default or hardcoded credentials, but not for the Optima 680, Revolution XQ/i, and THUNIS-800+ systems.
The problem has mushroomed in recent years. In the past two years, alone, the U.S. Department of Health and Human Services Office of Civil Rights has publicly posted reports of security breaches from almost 400 healthcare providers, payers or life science organizations, according to ClearDATA's Chris Bowen.
Many of the weak spots are familiar, involving relatively low-level skills that could let a hacker change his or her privileges to an elevated user level, enabling access to other parts of the system – even possibly gaining entry to the larger network using hard-coded credentials for authentication.
Philips had been working on the issue, which it said in its statement involved the following systems:
• Brilliance 64 version 2.6.2 and below
• Brilliance iCT versions 4.1.6 and below
• Brillance iCT SP versions 3.2.4 and below
• Brilliance CT Big Bore 2.3.5 and below.
Philips confirmed the flaw, advising that the vulnerability is not exploitable remotely, noting that “an attacker would need local access to the kiosk environment of the medical device to be able to implement the exploit.”
So far, there are no reports of a hack using this vulnerability in the real world.
It has also fixed the hardcoded credentials vulnerabilities “for all Brilliance iCT 4.x and above versions,” it stated.
Going forward, the company advises that users set products up “within specifications,” especially software and security settings.
It also suggested more broadly that sites “implement a comprehensive, multilayered strategy to protect their systems from internal and external security threats, including restricting physical access of the scanner to only authorized personnel.”
The second Homeland advisory concerned the Silex Technology SX-500/SD-320AN and GE Healthcare MobileLink.
Again, hacking skill level required is low, but in this case the hack can be done remotely.
One flaw would let unauthorized hackers change system settings, due to a problem of verification in the software. Another flaw is the way memory is “cleaned” that could permit code to be planted by a hacker and then executed.
After researcher Eric Evenchick of Atredis Partners brought these problems to the attention of the companies, the vulnerabilities were fixed, he reported to Homeland.
Updates are available with these fixes and Silex Technologies and GE Healthcare recommend the following steps be taken by their users:
-CVE-2018-6020 (GE MobileLink/SX-500) – Enable the “update” account within the web interface, which is not enabled by default. Set the secondary password for the “update” account to prevent unauthenticated changes to the device configuration.
-CVE-2018-6021 (GE MobileLink/GEH-SD-320AN) – Silex Technology and GE Healthcare have made updated firmware for the GEH-SD-320AN, which will be available May 31, 2018, for download.
These flaws are cropping up with more frequency as devices become evermore connected in healthcare settings.
In March, ICS-CERT issued hacking warnings for Philips iSite and IntelliSpace PACS medical imaging archiving communications systems and the Alice 6 polysomnography system, citing hacking weaknesses that are “predominantly in third-party components,” the agency stated, adding that “Philips is providing users a number of potential options to remediate these identified vulnerabilities.”
Also in March, another alert warned of default or hardcoded password issues that could impact a number of GE Healthcare devices, including its Optima, Discovery, Revolution, Centricity, THUNIS, eNTEGRA, CADStream, GEMNet, Infinia, Millenium, Precision MP/i, and Xeleris.
At that time GE reviewed “the capability to change passwords identified by the researcher within the product documentation", according to the ICS-CERT alert, "and users are advised to contact GE Service for assistance in changing passwords."
That advisory also noted that there are some updates from GE to address the default or hardcoded credentials, but not for the Optima 680, Revolution XQ/i, and THUNIS-800+ systems.
The problem has mushroomed in recent years. In the past two years, alone, the U.S. Department of Health and Human Services Office of Civil Rights has publicly posted reports of security breaches from almost 400 healthcare providers, payers or life science organizations, according to ClearDATA's Chris Bowen.