Security Researchers Find Nearly Dozen Holes in GE Ultrasound Machines

A line of ultrasound machines produced by GE HealthCare, the leading ultrasound OEM by market share, has been found to be susceptible to ransomware attacks and patient data compromise.

Researchers at IoT security firm Nozomi recently published a report identifying 11 vulnerabilities in GE's Vivid Ultrasound family of devices. "The impacts enabled by these flaws are manifold: from the implant of ransomware on the ultrasound machine to the access and manipulation of patient data stored on the vulnerable devices," the researchers wrote.

Nozomi focused its report on the Vivid T9 ultrasound device, which is designed primarily for cardiac ultrasound imaging. Each Vivid T9 device comprises a desktop running Windows 10 IoT; a native keyboard and trackpad; Common Service Desktop, a Web interface for performing administrative tasks; and EchoPac, the software used by clinicians to review ultrasound images.

The flaws Nozomi found leverage all of these components, resulting in multiple avenues for attackers to perform arbitrary code execution with administrative privileges. Bad actors with physical access to a Vivid T9 device can execute attacks, either by directly interacting with it or by attaching a thumb drive that emulates the keyboard, but they can also execute attacks over the local network.

The attacks, Nozomi argued, can result in either ransomware or harm to patient data. In terms of ransomware, the researchers wrote:

[W]e successfully verified the ability to lock the Vivid T9 by means of a proof-of-concept ransomware. After physically accessing the device and removing all Windows security protections (which was possible due to the full privileges obtained), we were able to disrupt the device logic while simultaneously showing a picture on the screen asking for the payment of a ransom. ... A similar payload may also be executed against a doctor’s workstation running Echopac.
Ransomware attack process.
[Click on image for larger view.]   Ransomware attack process. (Source: Nozomi)

Regarding harm to patient data, Nozomi explained the attack method this way:

[H]aving achieved code execution with full privileges on a target system, nothing can stop an attacker from accessing and even manipulating all patient data stored on it. For instance, when considering Echopac, all patient data is stored in the companion SQL Anywhere. These databases can be easily accessed after exfiltrating and loading the file in a compatible client...or, even more simply, by sending SQL commands to the exposed network port.
Patient data compromise attack process.
[Click on image for larger view.]   Patient data compromise attack process. (Source: Nozomi)

The following are the 11 vulnerabilities identified by Nozomi:

CVE ID CWE CVSS v3.1 Base Score CVSS v3.1 Vector
CVE-2024-27107 Use of Hard-coded Credentials (CWE-798) 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-6977 Protection Mechanism Failure (CWE-693) 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-1628 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-27110 Execution with Unnecessary Privileges (CWE-250) 8.4 CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2024-1630 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2024-27109 Insufficiently Protected Credentials (CWE-522) 7.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2024-1486 Incorrect Permission Assignment for Critical Resource (CWE-732) 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-27108 Incorrect Permission Assignment for Critical Resource (CWE-732) 6.8 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2020-6977 Execution with Unnecessary Privileges (CWE-250) 6.4 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-1629 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2024-27106 Missing Encryption of Sensitive Data (CWE-311) 5.7 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

GE has updated its product security portal with guidance for many of the above vulnerabilities, as well as a comprehensive lists of affected machines.

To prevent the attacks described, Nozomi encouraged organizations to avoid leaving Vivid ultrasound machines unattended "even for a short period of time," and to practice good network security hygiene -- for instance, by limiting network activity to only what's essential.

Specifically for machines with EchoPac installed, the researchers suggested "[blocking] incoming connections via firewall to SMB and 2638/tcp (SQL Anywhere DB server port) when the workstation is connected to an unprotected network."

About the Author

Gladys Rama (@GladysRama3) is the editorial director of Converge360.

Must Read Articles

Welcome to, the new site for healthcare IT Pros looking for insights on cloud and other cutting-edge IT tech.
Sign up now for our newsletter and don’t miss out! Sign Up Today