Accounts with default creds found in 100+ GE medical device models

GE Healthcare is embarking on a massive effort to help healthcare providers reconfigure vulnerable devices.
Written by Catalin Cimpanu, Contributor
GE Healthcare
Image: Harlie Raethel, GE Healthcare

More than 100 models of General Electric Healthcare medical devices come with hidden accounts that use the same default credentials and could be abused by hackers to gain access to medical equipment inside hospitals and clinics.

Affected devices include the likes of CT scanners, X-Ray machines, and MRI imaging systems, according to CyberMDX, the security firm that discovered the hidden accounts earlier this year.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The accounts, hidden to end-users, are included in the device firmware and are used by GE Healthcare servers to connect to on-premise devices and perform maintenance operations, run system health checks, obtain logs, run updates, and other actions.

CyberMDX says the problem with these accounts is that use the same default credentials and that the credentials are public and can also be found online by threat actors, which can then abuse them to gain access to hospital imaging systems and harvest patient personal data.

GE's effort to help customers

In an email interview on Monday, GE told ZDNet that they are "not aware of any unauthorized access to data or incident where this potential vulnerability has been exploited in a clinical situation," however, this doesn't mean the issue won't be abused in the future.

To stay ahead of attackers and prevent future intrusions, GE has now embarked on a massive effort to help hospitals and other healthcare providers reconfigure all the devices where these accounts are present.

In a security alert the company plans to publish today, the company will advise customers to contact GE support staff to make an appointment and have GE personnel change the passwords for these hardcoded accounts.

This step is necessary because the accounts are invisible to end-users, and only GE staff can change their credentials.

"We are providing on-site assistance to ensure credentials are changed properly and confirm proper configuration of the product firewall," a GE Healthcare spokesperson told ZDNet via email.

"A patch is not required to solve this issue," GE said.

What's vulnerable

According to CyberMDX, the company discovered hidden accounts that granted access to the following services and features:

  • FTP (port 21) -used by the modality to obtain executable files from the maintenance server.
  • SSH (port 22)
  • Telnet (port 23) -used by the maintenance server to run shell commands on the modality.
  • REXEC (port 512) -used by the maintenance server to run shell commands on the modality.

The list of vulnerable devices where these accounts are presents includes 104 GE Healthcare device models. The biggest and most well-known GE Healthcare product lines affected by this issue —which CyberMDX has been tracking under the codename of MDHexRay— includes:

Exploiting MDHexRay requires access to a hospital's network

But according to CyberMDX, the good news is that exploiting any of these default credentials to gain access to a device requires that an attacker have access to a hospital's internal network.

"We haven't found cases where the devices were left exposed online," Elad Luz, Head of Research at CyberMDX, told ZDNet in an email interview.

"Internal network access is required, [...] something that unfortunately happens quite commonly, especially recently," Luz said, referring to the growing number of security breaches and ransomware intrusions reported by healthcare organizations this year.

The worst IoT, smart home hacks of 2020 (so far)

Editorial standards