DHS warns of security flaws in GE, Philips, Silex medical devices
Serious security flaws were discovered in Philips, GE and Silex medical devices that, if exploited, could allow authorized access and let a hacker obtain elevated privileges, according to two separate U.S. Department of Homeland Security ICS-CERT alerts issued this month.
According to the first alert, a flaw in the contained kiosk environment of Philips Brilliance CT Scanners could be exploited to let an unauthorized user gain elevated privileges and access to unauthorized resources within Windows.
Another kiosk environment flaw could be exploited, allowing a user with limited access to break out of that environment and gain elevated privileges and access to other elements in Windows.
DHS also sent an alert about a flaw with the hard-coded credentials for outbound communication, encryption of internal data and inbound authentication: An unauthorized user could compromise credentials to gain access to the network. Philips remediated this flaw for versions 4.x and above.
Philips alerted the National Cybersecurity and Communications Integration Center of the vulnerability in early May and has been working to eliminate the issue. The company also worked with DHS to alert its users to the problem, as a way to mitigate some of the risk.
So far, there’s been no evidence these flaws have been exploited in the wild. But Philips is still warning users to “implement a comprehensive, multi-layered strategy to protect their systems from internal and external security threats.” This includes restricting physical access to just authorized personnel.
The second notice outlines flaws discovered in both Silex Technology and GE Healthcare MobileLink tech that could be exploited remotely with low-level skill and allow modification of system settings. Public exploits of these vulnerabilities are available.
The flaws are found in these products: GEH-500, SX-500, GEH-SD-320AN and SD-320AN, along with some GE MAC Resting ECG analysis systems that may use MobileLink Technology.
One flaw cites a lack of verification for authentication for some POST requests that could let an unauthorized user modify system settings. Another flaw cites an improperly sanitized system call parameter, which can allow remote code execution.
Both Silex and GE recommended users to enable an ‘update’ account within the online interface, which is not the standard default. Users should also set a second password for this update account to prevent an unauthorized user from altering device configuration.
The two companies have updated firmware to remediate some of these vulnerabilities, which will be available for download on May 31.
These alerts have become more frequent, as security leaders, Congress, and the Food and Drug Administration are continuing to shore up these threats. In fact, not only have medical device recalls increased by 126 percent in the first quarter of 2018 from last year, often doctors have no idea if or when a hack occurs.