GE Ultrasound Devices Vulnerable to Ransomware and Data Theft

May 16, 2024

Researchers have unearthed 11 security vulnerabilities in GE HealthCare's Vivid Ultrasound product line, along with two related software programs. The issues are diverse, encompassing lack of encryption for sensitive data, hardcoded credentials, and more. These vulnerabilities have severity scores ranging from 5.7 to 9.6 on the CVSS 3.1 scale. According to a report by Nozomi Networks, these flaws could enable remote code execution with full privileges, leading to various possible attack scenarios. However, the most severe scenarios would necessitate physical access to the devices, significantly lowering the risk to healthcare establishments.

During their research, Nozomi's team scrutinized three GE products: the Vivid T9 ultrasound system, primarily used for cardiac imaging; the pre-installed Common Service Desktop Web application, used for various administrative tasks; and the EchoPAC clinical software package, which doctors use to review and analyze ultrasound images.

GE's ultrasound devices have certain built-in features to prevent users from inadvertently causing security issues. For instance, the Common Service Desktop Web application is only accessible on the device's localhost interface, preventing remote tampering. However, some other security features were found lacking. The Vivid T9 is essentially a full PC running a version of Windows 10 customized by GE. Most of the device's logic is managed by applications and scripts running on it. Despite its user interface restricting access to underlying operating system functionalities, researchers were able to bypass it using an old system bug, CVE-2020-6977, a kiosk breakout vulnerability rated 8.4 on the CVSS scale. They then leveraged CVE-2024-1628, a command injection issue in Common Service Desktop, to execute arbitrary code and deploy ransomware that locked the system.

Exploiting the EchoPAC software was even easier if its 'Share' feature was turned on. An attacker could use hardcoded credentials (CVE-2024-27107, a critical 9.6 CVSS issue) to access the live database server instance, enabling them to read, edit, and steal patient data. However, unlike IoT-connected medical devices, exploiting the T9 and Common Service Desktop would require a malicious insider to have physical access to the device's built-in keyboard and trackpad. EchoPAC, on the other hand, only requires access to the local area network.

An attacker could bypass the need for physical interaction by inserting a malicious drive into the T9's exposed USB port. Nozomi demonstrated that a specially designed drive could compromise a T9 in just a minute. Consequently, Nozomi advises medical personnel not to leave ultrasound devices unattended. Patches and mitigations for all 11 vulnerabilities are available on GE HealthCare's product security portal.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.