Identified Vulnerability in Philips HDI 4000 Ultrasound Systems

There is a vulnerability identified in Philips HDI 4000 Ultrasound systems that attackers could exploit to access ultrasound images. Besides stealing information, an attacker could tamper with ultrasound images to hinder the diagnosis of a possibly deadly health ailment.

Philips HDI 4000 Ultrasound systems run on legacy operating systems like Windows 2000 which aren’t supported anymore. Whatever operating system vulnerability could be taken advantage of to access the system and patient records.

Check Point’s security researchers detected the vulnerability CVE-2019-10988 and reported it to Philips. Then, US-CERT issued the announcement regarding the vulnerability.

The end of life of Philips HDI 4000 Ultrasound systems was in December 2013 and Philips does not sell, update, or support the system any longer. However, a lot of healthcare organizations still use the systems despite the fact that they are at risk of attack. US-CERT gave warnings that several exploits are currently in the public domain and may be employed to access systems.

Because the devices are not supported anymore, Philips won’t issue a patch or update to fix the vulnerability. Unless healthcare organizations retire or replace the systems, there should be defensive measures undertaken to minimize the risk of vulnerability exploitation.

The DHS Cybersecurity Infrastructure Security Agency (CISA) advises Philips HDI 4000 Ultrasound systems users to limit system access to approved persons and implement the principle of least privilege. Users need to disable accounts and services that aren’t essential and adopt in-depth defense strategies.

Replacing the legacy systems with more recent technology that operates on supported operating systems is strongly advised.

Based on US-CERT, an attacker must have a relatively high level of skill in order to exploit the vulnerabilities as well as access the same local subnet as the systems. Because of these reasons, the vulnerability has an assigned CVSS v3 base rating of 3.0 out of 10.