Governance & Risk Management , Healthcare , Industry Specific

Report: 11 Vulnerabilities Found in GE Ultrasound Devices

GE HealthCare Says Risks Can Largely Be Mitigated Through Security Best Practices
Report: 11 Vulnerabilities Found in GE Ultrasound Devices
Researchers recently identified 11 security vulnerabilities affecting certain GE HealthCare ultrasound products, including the Invenia ABUS 2.0 (Image: GE HealthCare)

Security researchers have identified nearly a dozen vulnerabilities in certain GE HealthCare ultrasound products that could allow malicious actors with physical access to the devices to implant ransomware or access and manipulate patient data stored on the affected devices, says a new report published Tuesday by Nozomi Networks.

See Also: The Financial Industry Threat Landscape: Top Threats and Proactive Security Best Practices

GE HealthCare issued security bulletins on Tuesday in response to the Nozomi report, downplaying the findings and saying that "existing mitigations and controls are in place" that reduce the risks to acceptable levels.

The Cybersecurity and Infrastructure Security Agency on Thursday also issued an advisory about the vulnerabilities.*

Nozomi said the 11 vulnerabilities affect various ultrasound systems and software from GE HealthCare, including the Vivid T9 ultrasound system and its pre-installed Common Service Desktop web application and related EchoPAC software.

The flaws have CVSS v3.1 base scores of between 9.6 for CVE-2024-27107, a vulnerability involving the use of hard-coded credentials (see: - and 5.7 for vulnerability CVE-2024-27106, which involves missing encryption of sensitive data (see: CWE-311.

Among the other vulnerabilities identified are protection mechanism failure, execution with unnecessary privileges, improper limitation to a pathname, restricted directory - or path traversal, and a variety of other issues.

"These vulnerabilities could be exploited for ransomware attacks or to access or manipulate patient data," said Andrea Palanca, senior security researcher at Nozomi Networks and one of the experts who identified the flaws.

Nozomi's report describes how a malicious actor with physical access to a vulnerable ultrasound device potentially could use a USB thumb drive containing malware to automate an attack chain, including the insertion of ransomware.

"If a healthcare facility fell victim to either of these attack scenarios, the consequences could be severe and multifaceted," Palanca told Information Security Media Group.

"Ultrasound infrastructure also plays a crucial role in diagnosing and monitoring various medical conditions. The inability to access or use the devices due to ransomware could delay critical medical procedures, hinder accurate diagnoses, and impede timely treatment," she said.

Also, unauthorized access to the data stored on the affected devices "could be misused or sold, posing a significant threat to individuals' personal information," Palanca said. "The accuracy of diagnoses and treatment plans may even be jeopardized, leading to potential harm to patients."

Nozomi shared its findings with GE HealthCare before releasing its report. "To this extent, GE HealthCare has confirmed that their trained medical staff has executed medical safety risk assessment following regulatory expectations and have concluded the associated safety risk is controlled, acceptable or as low as possible," the researchers said.

"This process is regulated by the U.S. FDA and other regulatory bodies, requires well trained medical staff and a very detailed collection of evidences," the report said.

Physical Access Needed

GE HealthCare in its security bulletins said it actively participated in the coordinated security vulnerability disclosures for the flaws that Nozomi found.

That includes vulnerabilities involving the Common Service Desktop component used in certain GE HealthCare ultrasound devices. The issues identified potentially make the products vulnerable to command injection and path traversal, which could allow malicious actors to reach the operating system on these devices - if they have physical access to the device, GE said.

"GE HealthCare conducted a thorough investigation and determined that in the unlikely event a malicious actor with physical access rendered the device unusable, there would be clear indicators of this to the intended user of the device," the company said.

"The vulnerability can only be exploited by someone with direct, physical access to the device. GE HealthCare has determined that the existing mitigations and controls are in place and effectively reduce the risk as far as possible; therefore, the residual risk associated with this vulnerability is acceptable," the manufacturer said.

GE Healthcare recommends organizations using the affected products mitigate the risks by adopting "security and cybersecurity best practices, including restriction of physical access to devices by unauthorized individuals."

The company also recommends users contact their GE HealthCare representatives for additional suggestions.

But not everyone is convinced that GE HealthCare is adequately handling the Nozomi report's findings.

"The idea that you can sell a medical device and shift all security responsibility to the hospital and running 'a secure network' is like saying, 'The car is safe if every other driver follows the rules of the road,'" said David Brumley, CEO of security firm ForAllSecure and cybersecurity professor at Carnegie Mellon University.

"Hospitals shouldn't be on the hook to assess and secure devices they didn't build themselves. The vendor should be. The response from GE was written by what looks like a lawyer because no security expert would say such things."

GE HealthCare in a statement to ISMG said that maintaining the safety and security of its devices is "a top priority" of the company.

"We recently disclosed potential cybersecurity vulnerabilities for several ultrasound systems that, if acted upon, could render a system unusable or disclose limited patient information. We conducted a thorough investigation of the issue and determined existing mitigations and controls are in place and effective," GE HealthCare said.

"This is not a recall and GE HealthCare has not received any reports of potential exploitation of vulnerabilities or unauthorized access to data associated with this issue," the statement says.

Larger Problems

Unfortunately, the kinds of vulnerabilities identified by Nozomi in its report are not uncommon problems in many types of legacy medical devices, said Axel Wirth, chief security strategist at security firm MedCrypt.

"We can find many historic security sins in older medical devices of many manufacturers, very similar to the vulnerabilities reported by Nozomi," he said.

Reasons are many, including the desire to ensure easy access for technical personnel through hardcoded passwords, lack of security as a development priority, and devices being designed during a time where cyber threats were less common and less sophisticated, he said.

"We now live in a very different era and are paying for the security debt we have collected over the past years and decades," he said.

"We have to assume that these and similar vulnerabilities exist in pretty much all old devices, so it comes down to identifying the affected devices, identifying the respective vulnerabilities and associated risks, and implementing the respective compensating security controls including device configuration, firewalls, network segmentation and more," he said.

In fact, this may even require physical controls such as mechanical locks for USB ports, he adds.

"The key point here is that we need visibility - manufacturers need to be open about their respective device risks and hospitals need to support implementation of security controls," Wirth said.

*Updated on May 16, 2024 17:59 UTC to include CISA's bulletin.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.