[CONNECTED HEALTH] Still vulnerabilities in breathing and anesthesia devices

CyberMDX medical cybersecurity researchers have made public a vulnerability that affects the breathing and anesthesia devices manufactured by General Electric. These devices are present in several American hospitals and medical centers. They can be hacked remotely and it does not require a high level of skills. The vulnerable devices that CyberMDX has highlighted are called GE Aespire and GE Aestive (versions 7900 and 7100). The attack can be carried out remotely by connecting to the network of the targeted hospital. The hacker then finds the GE Aestive or GE Aespire devices connected to this network “via the terminal-server communication protocol“. The attacker will then be able to insert new commands, without having to authenticate himself. An option is available to him, that of forcing the machine systems to use an earlier, less secure version of the protocol. This will allow him to add other more “dangerous” commands without having authenticated himself. Such action could lead to lethal consequences. An attacker could disable the alarm, change the barometric pressure or change the type of anesthetic agents. Such scenarios would be lethal to a patient, but this news was taken lightly by the manufacturers, emphasizing that such scenarios were unlikely and did not pose any direct risk to the patient