
Vulnerabilities found in GE anesthesia machines - bookofjoe
https://www.zdnet.com/article/vulnerabilities-found-in-ge-anesthesia-machines/
======
bookofjoe
DHS Security Alert issued July 9, 2019 [https://www.us-
cert.gov/ics/advisories/icsma-19-190-01](https://www.us-
cert.gov/ics/advisories/icsma-19-190-01)

------
bookofjoe
GE Healthcare Security Alert issued July 8, 2019
[https://www.gehealthcare.com/support/security-
information](https://www.gehealthcare.com/support/security-information)

------
bookofjoe
CyberMDX Vulnerability Research & Disclosures (Date of discovery: October 29,
2018) [https://www.cybermdx.com/vulnerability-research-
disclosures/...](https://www.cybermdx.com/vulnerability-research-
disclosures/ge-aestiva-and-ge-aespire)

GE Healthcare Security Alert issued July 8, 2019
[https://www.gehealthcare.com/support/security-
information](https://www.gehealthcare.com/support/security-information)

DHS Security Alert issued July 9, 2019 [https://www.us-
cert.gov/ics/advisories/icsma-19-190-01](https://www.us-
cert.gov/ics/advisories/icsma-19-190-01)

------
NegativeLatency
CVE:
[https://nvd.nist.gov/vuln/detail/CVE-2019-10966](https://nvd.nist.gov/vuln/detail/CVE-2019-10966)

------
softwaredoug
Just had a ct scan from a GE machine. Can’t say I wasn’t wondering about the
likelihood some bug would give me too much radiation...

~~~
ska
I have no specific knowledge of GE CT scanners, and I've also seen some very
crufty GE code which was full of potential issues.

However, for what it's worth, these sorts of safety systems (and similarly SAR
monitors in MRI, etc.) tend to be well validated as part of the overall hazard
and risk analysis, and people spend the time here, they tend to have
interlocks and other often redundant safety subsystems that work.

I guess what I'm saying is that I wouldn't expect bugs to trip you up in the
primary-yet-dangerous function, as this is where the obvious problem areas
are.

This article describes how the attack surfaces on medical devices aren't good.
This is definitely true. Especially with older designs that have been updated
over the years but were designed with no network or private network in mind.

~~~
kwiens
> Between June 1995 and January 1987, six patients were seriously injured or
> killed by unsafe administration of radiation from the Therac-25 medical
> linear accelerator.

> The Therac-25 software errors that cause radiation overexposures can be
> reduced down to interface errors. The first of these errors involved the
> entering of treatment data by the machine operator. Once an operator enters
> treatment information at the terminal outside of treatment room, the magnets
> used to filter and control radiation levels are set. There are several
> magnets, and the process takes about 8 seconds. If the operator makes a
> very, very quick change of the treatment information, within 1 second, the
> change is registered. Or, if the operator is rather slow about it, takes
> more than 8 seconds, the change is also registered. However, if the change
> occurs within the eight seconds it takes to set the magnets, the change is
> not detected and the magnets continue to be set up improperly, and thus the
> level of radiation is set up improperly.

> The last of the accidents occurred at the Yakima Valley Memorial Hospital.
> On January 17, 1987 an operator placed a patient on the turntable in the
> field-light position for small position verification doses. After attempting
> to administer the treatment dose, the machine shut down with a quick
> malfunction message and a treatment pause. The operator pushed the "P"
> button, and the machine paused again. The machine indicated that the patient
> had received his prescribed 7 rad of treatment. The patient, however,
> complained of a "burning sensation" and died three months later from
> complications related to the overdose (Leveson and Turner, 1993, p. 33) .

[http://users.csc.calpoly.edu/~jdalbey/SWE/Papers/THERAC25.ht...](http://users.csc.calpoly.edu/~jdalbey/SWE/Papers/THERAC25.html)

~~~
ska
Yes, that happened.

And partially because the industry learned from Therac-25 (and other issues),
collectively it got much better at avoiding this sort of failure mode.

I’m not saying it’s perfect, but it is not a high risk scenario for the poster
I responded to.

~~~
colechristensen
The only complex systems I'm really comfortable trusting my life with are
aircraft. Why is not the absence of accidents but the NTSB response to them
and their public reports.

~~~
ska
They really do have a good system

------
kazinator
The problem here is that life-threatening machines aren't air-gapped.

~~~
AnimalMuppet
There's two problems with airgapping. First, how does the machine get updates?
Do you mail a DVD to the anesthesia techs? Do they know how to install such a
thing, or are they going to mess up the machine in the attempt? Or do you roll
a service tech in a truck - to _all_ the machines installed worldwide? (Yes, I
know, if the alternative to rolling trucks is letting J Random Hacker play
with your machine while it's keeping a patient alive, you'd better roll
trucks. But updates are one reason why stuff winds up connected to the net
rather than airgapped.)

The second reason why stuff is not airgapped is that it almost certainly
connects to the hospital's patient records system. They have to keep a record
of _everything_ that happened until all potential lawsuits time out. Just in
case there are complications from the surgery, they need all the records from
the anesthesia machine uploaded after every use. So the anesthesia machine has
to be on the same network as the patient records system - and so does every
other medical device in the entire hospital. That network should be completely
isolated from outside, but to do so, you have to airgap the network, not just
one machine. Yes, it should be done, but that's harder to do, and harder to
maintain.

For that matter, I've wondered, when you visit someone in the hospital, if you
plug your laptop into the ethernet jack in their room and start looking
around, what do you see?

~~~
kazinator
> _First, how does the machine get updates?_

Like every non-networked digital camera I've ever owned: put some
_fwupdate.bin_ file on a SD-card, plug it in and run some procedure on the
device.

If a DVD are used, the techs can locally burn an .iso image onto a blank as an
alternative to getting it in the mail.

Logs can also be gathered from the machine on removable media.

Medical records can be available via some non-airgapped laptop. Maybe
something can be integrated into the machine, but the control of actual
dangerous parameters for therapy or anaesthesia should be air-gapped. Manual
entry only.

Operators can still be duped into entering malicious values manually, but at
least there is a fighting chance for some oversight.

~~~
Spooky23
So, by removing visibility, monitoring and discovery, you would improve
oversight by having nurses transcribe data into machines and techs service
them with manual USB keys?

Unless the IT team consists of Santa’s elves, that’s just not going to happen.

