MDhex Vulnerabilities Impact GE Patient Vital Signs Monitoring Devices (zdnet.com) 11
Security researchers from CyberMDX, a cyber-security company specialized in healthcare security, have disclosed today technical details about six vulnerabilities they are collectively referring to as MDhex. From a report: The vulnerabilities impact seven GE Healthcare devices meant for patient vital signs monitoring. These are devices installed near patient beds, meant to collect data from sick patients, and send it back to a telemetry server, monitored by clinical staff.
Whoa... (Score:1)
Re: (Score:1)
Hard coded credentials shared across a product line smells much more like a product management decision than a technical one. Having been in the healthcare software industry, I would suspect the software team protested and were threatened into "compliance."
Not vulnerablities (Score:2)
Clearly Overblown (Score:2)
From the article:
However, a GE Healthcare spokesperson disputed the severity ratings, contesting that "in properly configured situations, application of a recommended environmental score modification would land the vulnerabilities at a Common Vulnerability Scoring System (CVSS) score of 8.2," and not 10/10.
Guys, listen: It's only super bad, not ULTRA bad.
Sounds like someone needs to be slapped with a fine so they're more worried about delivering a secure product than handling PR.
Peaceful citizens should never need to fear their government, but so many corporations need an "incentive" to ensure they behave responsibly toward their employees and customers.
Hospitals have known since November (Score:1)
From TFA:
GE Healthcare began sending letters to customers globally on November 12, 2019, which reminds users of the proper configuration of the patient monitor networks," a GE spokesperson told ZDNet.
"We are advising our customers to ensure their networks are properly configured and isolated to protect against these potential concerns and mitigate the risk." [emphasis added]
GE HEalthcare, the worst of the worst (Score:2)
I'm familiar with GE Healthcare, and they truly suck monkey balls. They have an office in Issaquah WA that should be bulldozed and turned into a parking lot.
It's a crappy place to work, they make crappy equipment, and their design group couldn't find their ass with a mirror and team of Army Rangers to point the way.
Not accepting a job with them was one of the few smart employment choices I ever made. Just talking with their hiring bozos was enough to put me off them for life.
Re: (Score:2)
Don't write life support machines in C-likes, plea (Score:3)
No, not C++, Java, Rust, whatever, nor anything like it, either.
Don't include a CPU at all, if possible.
Include a microcontroller, if you must. Have three teams write three completely independent design specs. Then for each spec, have three completely independent teams (so nine teams) write implementations.
Then have three QA teams audit all nine implementstions, fuzz them all, and if thete ever is even one difference, it *completely* back to the drawing board for all three spec and nine dev teams!
And they never get to even know the other teams exist! Not even between the QA teams.
Only that they get all feedback about unexpected behavior triple-issued. And if those three feedback messages disagree in anything at all, they are told independently, to check again.
And if you absolutely need any higher-level code, please use Haskell, Erlang or the like. On QNX.
At the very least!
THEN I will even consider pondering if you are to be trusted.