GE anesthesia and respiratory devices vulnerable to attacks

Homeland Security’s CISA has released an advisory flagging a major flaw in hospital anesthesia machines and respiratory devices. The cybersecurity vulnerability was discovered by CyberMDX.

The vulnerability in these devices could allow a malicious actor online to impair respirator functionality including changing the composition of aspirated gases, muting the alarms and modifying time/date records. The devices in question are GE Aestiva and GE Aespire (models 7100 and 7900).

The researchers at CyberMDX say that the vulnerability can use the protocol used by these devices to send commands when they are connected to a terminal server on a hospital’s network. Elad Luz, CyberMDX’s head of research said: “The devices use a proprietary protocol. It’s pretty straightforward to figure out the commands.”

GE Healthcare denies that there is any flaw in these devices and has further asked for a careful selection of secure terminals to prevent the issue. GE Healthcare further clarified that according to its assessment there is no risk to patient safety. On its website, GE Healthcare advisory said: “Secure terminal servers when correctly configured provide robust security features including strong encryption, VPN, authentication of users, network controls, logging, audit capability, and secure device configuration and management options.”