Vulnerabilities Seen in Phillips, Silex and GE Medical Equipment

The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published notices concerning the vulnerabilities in certain medical products manufactured by Silex, GE Healthcare and Phillips. Cyber criminals and unauthorized people could exploit the vulnerabilities and manipulate the devices.

Phillips advised the National Cybersecurity and Communications Integration Center (NCCIC) concerning its Brilliance CT scanners, which have security issues. To minimize the risk that consumers could possibly encounter, Phillips asked the assistance of DHS to advise consumers while the firm is still attempting to resolve the vulnerabilities. Currently, there is no report about the vulnerabilities of the equipment being exploited.

Phillips found 3 vulnerabilities in these Brilliance scanners: Brilliance iCT versions 4.1.6 and below; Brillance iCT SP versions 3.2.4 and below; Brilliance CT Big Bore 2.3.5 and below; and Brilliance 64 version 2.6.2 and below.

The Brilliance CT scanners function by running user functions found in a kiosk environment in the Windows OS. Two of the vulnerabilities identified – CVE-2018-8861 and CVE-2018-8861- take advantage of the kiosk environment permitting unauthorized persons or kiosk access users to get higher privileges and gain access to restricted sources and information in the operating system.  The third vulnerability – CVE-2018-8857 – exploits the credentials required for inbound authentication and outbound communication, which when corrupted will permit unauthorized people to get into the system.

To take advantage of the vulnerabilities, the hacker need local access to the Brilliance scanner’s kiosk environment. Any individual having low level skill can exploit the vulnerability, and then implement commands utilizing greater rights and get restricted sources in the device. Even though the vulnerabilities are considered to be low-risk, Phillips needed to issue a warning to users about the risk as specified in its disclosure policy. Phillips instructs consumers to adhere to the specs given for using Brilliance CT merchandise, including the use of software program permitted by Phillips and the security settings.

Two vulnerabilities – CVE-2018-6020 and CVE-2018-6021 – were found to affect Silex Technology and GE Healthcare MobileLink technology. These items are impacted by either one or the two vulnerabilities:

GEH-500 (V 1.54 and earlier), SX-500 (all versions), GEH-SD-320AN (V GEH-1.1 and earlier), and SD-320AN (V 2.01 and earlier).

GE MAC Resting ECG analysis systems that use MobileLink Technology: MAC 3500, MAC 5000 (E.O.L 2012), MAC 5500 and MAC 5500 HD.

Hackers having low level skills could exploit both vulnerabilities and could alter system configurations distantly. Silex and GE Healthcare proposes these steps to minimize the risk:

For the CVE-2018-6020 vulnerability, end users must update the account utilizing the web platform and fix a second password to stop any person from altering the device settings.

For the CVE-2018-6021 vulnerability, end users ought to download the up-to-date firmware that could take care of the vulnerability on May 31,2018 or when the tests are complete.

NCCIC likewise suggests doing these actions in order to minimize the vulnerabilities. Reduce the exposure of control system devices on the internet. It is advisable to put them behind a firewall. In case remote access is absolutely required, utilize a VPN. End users are likewise instructed to perform a risk analysis before trying to carry out any action.