Two critical vulnerabilities found affecting GE medical products could allow for personal healthcare information to be stolen and could potentially allow for the affected medical devices to be shut off completely. The bugs were originally discovered back in May by CyberMDX, but kept confidential while the manufacturer worked on solutions until yesterday, when the vulnerabilities were officially revealed by The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). There are believed to be over 100 different types of medical devices that are affected by the bugs—these include CT scanners, PET machines, molecular imaging devices, MRI machines, mammography devices, X-Ray machines and ultrasound devices. The bugs, identified as CVE-2020-25175 and CVE-2020-25179, received a 9.8 CVSS score, and rightfully so. They are possible to exploit because all of these systems share a common password built in to allow remote servicing through GE’s proprietary administration system. Patches are in the works, but due to the low exploitation complexity level the devices will remain extremely vulnerable until those patches are released.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is