Nozomi Networks Labs has identified 11 critical vulnerabilities in GE HealthCare’s Vivid Ultrasound systems and their associated software. These flaws could allow attackers to install ransomware or manipulate patient data, posing significant risks to hospital operations and data security. Physical access to the device is required to exploit these vulnerabilities.

Research Scope

Nozomi Networks examined the security of GE HealthCare’s Vivid family, focusing on the Vivid T9 and its Common Service Desktop web application, along with the EchoPAC software. The Vivid T9 is used for cardiac and general-purpose ultrasound imaging and runs a customized Windows 10 OS in a kiosk mode, restricting user access to critical functions.

Major Findings

1. Ransomware Risk: Attackers can lock ultrasound machines and demand a ransom, disrupting essential medical services.
2. Patient Data Vulnerability: Unauthorized access and manipulation of patient data can compromise confidentiality and healthcare quality.

Devices and Software Affected

• Vivid T9 Ultrasound System: A cardiac imaging system running a customized version of Microsoft Windows 10, with limited user access to the underlying OS.
• Common Service Desktop: A web application for administrative tasks on Vivid T9, exposed only on the device’s localhost interface.
• EchoPAC Software: Clinical software for reviewing ultrasound images on doctors’ workstations, capable of accessing and manipulating patient data.

Exploitation Scenarios

• Physical Interaction Required: Exploiting the Vivid T9 requires direct interaction with the device’s keyboard and trackpad.
• Ransomware Implantation: Attackers can bypass security protections and lock the device, demanding a ransom.
• Patient Data Access: Full system access allows attackers to exfiltrate and manipulate patient data stored in SQL databases.

Recommended Actions

• Do not leave ultrasound devices unattended.
• Block incoming connections to SMB and SQL server ports on workstations with EchoPAC.
• Ensure proper network segmentation and limit communications to essential traffic only.

More information can be found in our medical device vulnerability database that is accessible to members only.