GE Ultrasound Gear Riddled With Bugs, Open to Ransomware & Data Theft

Researchers have discovered 11 security vulnerabilities in GE HealthCare's Vivid Ultrasound family of products, as well as two related software programs.

The issues are varied, and include missing encryption of sensitive data, use of hardcoded credentials, and more. They range in severity from 5.7 to 9.6 on the CVSS 3.1 scoring system.

As Nozomi Networks explained in its report, the bugs could lead to remote code execution (RCE) with full privileges and any number of attack scenarios such powers would entail. However, the most serious case scenarios also require physical access to the devices in question, massively reducing the potential risk for healthcare facilities.

However, "even when talking about vulnerabilities that indeed require physical access for being exploited, we believe that the likelihood of an attack is far from being negligible," warns Andrea Palanca, senior security researcher with Nozomi Networks. "As a matter of fact,ultrasound machines are used in hospitals and clinics that are frequently accessed by external individuals, and our research showed that just one minute of physical access is sufficient to execute an attack.So, we feel that not only malicious insiders, but also outsiders may have chances to accomplish the attack."

The Bad News

In the course of their study, Nozomi's researchers analyzed three GE creations: the Vivid T9 ultrasound system, designed primarily for cardiac imaging; its pre-installed Common Service Desktop Web application, used for various administrative purposes; and the EchoPAC clinical software package, which doctors use to review and analyze ultrasound images.

In some ways, GE's ultrasounds are built to prevent users from causing security issues. For example, the Common Service Desktop Web app is exposed only on the localhost interface of a device, preventing long-distance tampering. This is important, as the software is used by administrators to do such things as change passwords and gather logs.

Other secure design elements didn't hold up so well, however.

The Vivid T9 is essentially a complete PC running a GE-customized version of Windows 10. To focus its use in healthcare settings, most of the device logic is handled by applications and scripts running on it. Its graphical user interface (GUI), for example, restricts users from accessing the underlying operating system functionalities, with a few exceptions.

However, thanks to an old bug in the system — CVE-2020-6977, a CVSS 8.4-rated kiosk breakout vulnerability — researchers were able to bypass the GUI to reach into the PC and obtain administrative privileges. Then, using CVE-2024-1628, an 8.4-severity command injection issue in Common Service Desktop, they were able to perform arbitrary code execution, dropping ransomware that froze the machine.

Exploiting EchoPAC proved even simpler, provided the program's "Share" feature was enabled. With a connection to a doctor's workstation, an attacker can abuse hardcoded credentials — CVE-2024-27107, critical 9.6 CVSS — to access its live database server instance. There, they can read, edit, and steal patient data.

The Good-ish News

The catch is that, unlike with Internet of Things (IoT)-connected medical devices, exploiting a T9 and Common Service Desktop requires that a malicious insider have physical access to the device's embedded keyboard and trackpad. (EchoPAC, meanwhile, is easier to break into, requiring only a foothold in the local area network and no other credentials whatsoever.)

This is good news for healthcare facilities, but there's a slight caveat. An attacker could avoid all the necessary clicking and typing by instead plugging a malicious drive into the T9's exposed USB port. In its experiments, Nozomi demonstrated how a specially crafted drive could compromise a T9 in only a minute's time.

"We hope that our findings inspire more and more vendors to adopt stronger security measures as early as possible, given the significant impacts that the exploitation of these vulnerabilities may cause, and that we practically demonstrated," says Palanca.

Patches and mitigations for all 11 vulnerabilities are available at GE HealthCare's product security portal.