A vulnerability in the firmware of certain anesthesia machines used in hospitals could be used to alter medication levels and alter alarms. The flaw affects GE Aestiva and GE Aespire anesthesia machines–specifically model numbers 7100 and 7900 from the General Electric Company. An attacker would have to be on the same network as the machines, but there is no need for special privileges. If the vulnerable system is connected to a terminal server, knowing the machine’s IP address isn’t necessary. If an attacker accesses the network and finds the vulnerable machine, the hacker could force the device into using a less secure version of the communication protocols. This attack is called a downgrade attack and would allow someone to remotely adjust the composition of the inhaled gas mixtures, suppress alarms, change the date and time on the system and modify the barometric pressure given to the patient. The aerosolized medication normally differs from patient to patient, so having the incorrect levels could be potentially deadly to the patient. As proof of concept, researchers showed this flaw by silencing an alarm on a machine that was being used in testing and not on a person.
Analyst Notes
IT administrators are recommended to create secure terminals to connect the vulnerable machines via serial ports. Segmenting networks will also minimize exposure to machines. Creating system access restrictions and disabling unnecessary accounts, protocols, and services are also highly recommended.
