Vulnerabilities in GE HealthCare Anesthesia Machines
A research team discovered a vulnerability (pertains to CWE-287) related to the GE Healthcare Aestiva and Aespire devices (models 7100 and 7900). If an attacker gains access to a hospital’s network and if the devices are connected via terminal servers, the attacker can force the device to revert to an earlier, less secure version of the communication protocol and remotely modify parameters without authorization.
When deployed using terminal servers, these manipulations can also be performed without any prior knowledge of IP addresses or location of the anesthesia machine. The attack could lead to:
Unauthorized gas composition input - altering the concentration of inspired/expired oxygen, CO2, N2O, and anesthetic agents.
Manipulation of barometric pressure settings and anesthetic agent type selection.