The Security Ledger Podcast

The Security Ledger Podcast


Episode 153: Hacking Anesthesia Machines and Mayors say No to Ransoms

July 12, 2019

In this week’s podcast episode (#153): The researcher who discovered serious remote access security flaws in anesthesia machines by GE says such security holes are common. Also: the US Conference of Mayors voted unanimously to swear off paying ransoms for cyber attacks. But is that a smart idea? We’re joined by Andrew Dolan of the Multi State Information Sharing and Analysis Center to talk about it.

In our first segment: the Department of Homeland Security on Tuesday warned hospitals about a serious and remotely exploitable security hole has been found in two anesthesia devices made by GE Healthcare. ICS Medical Advisory (ICSMA-19-190-01), released Tuesday, warns that the GE Aestiva and GE Aespire Anesthesia Machines, versions 7100 and 7900 contain software that could allow a remote attacker to connect to and remotely modify device configurations without first authenticating to them.
Take a deep breath…or not!
In our first segment in this week’s podcast, we speak with  the man who discovered the flaw: Elad Luz, the Head of Research at CyberMDX.
He tells us that the GE anesthesia machines – like many medical devices – were not designed to be connected directly to local- or wide area networks that are now common in clinical settings. That connectivity comes by way of so-called “terminal servers,” that translate the serial port communications used by medical devices into TCP/IP, the lingua franca of most networks and the Internet.
Unfortunately, GEs devices allow anyone able to communicate with a terminal server to send commands directly to the anesthesia devices without further authenticating to them. And, while many clinical organizations might wish to remotely monitor telemetry from devices like anesthesia machines, the GE devices allow remote actors to configure the machine: changing the makeup of the gasses distributed to patients, changing the time settings on the device or suppressing alarms.
Luz said that serious and potentially life threatening security lapses like this aren’t uncommon, with medical device makers frequently failing to disable diagnostic or calibration features prior to release, or offering them to customers as a convenience without considering how they might be abused by a malicious actor.
Mayor say ‘no’ to ransoms…then what?
Amid a scourge of ransomware attacks affecting municipal networks, the U.S. Conference of Mayors voted unanimously this week to adopt a resolution opposing payment of  ransoms to cyber criminal groups. That’s a laudable declaration, but is it smart?
Recent cases like the ransomware infection that hit the City of Baltimore (check out Podcast  #151 where we talk to IOActive’s Cesar Cerrudo about this) suggest that, absent strong IT security controls and a robust backup and recovery practice, some communities may face a difficult and expensive road to recovery should they tell ransomware groups to take a hike.
That has certainly been the case in Atlanta and Baltimore where decisions to forego ransom demands of tens of thousands of dollars have led to weeks long disruptions in services and necessitated cleanup and recovery operations measured in millions of dollars.
So is telling ransomware gangs to stuff it  really the best response? In our second segment,