The US Food and Drug Administration (FDA) alerts healthcare providers that certain patient monitors from Contec and Epsimed are gathering data and beaming it to a hardcoded IP address. The medical devices also contain backdoors, allowing remote unauthorized attackers to run remote code.
The critical flaws plague Contec CMS8000 and their relabeled versions such as Epsimed MN-120. Contec Medical Systems is a global medical device and healthcare solutions company headquartered in China.
These models “may put patients at risk after being connected to the internet,” the FDA said.
Patient monitors are widely used in health care and home settings to display vital signs, such as electrocardiogram, temperature, heartbeat, blood pressure, blood oxygen saturation, respiration rate, and more.
The US Cybersecurity and Infrastructure Security Agency released a separate alert and noted that CMS8000s are used in the US and European Union to provide continuous monitoring of a patient’s vital signs.
The “inclusion of this backdoor in the firmware of the patient monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration, introducing risk to patient safety as a malfunctioning patient monitor could lead to an improper response,” CISA said.
CISA’s analysis revealed ‘anomalous network traffic.’ The device’s firmware also contained highly unusual characteristics.
The reverse backdoor provides automated connectivity to a hard-coded IP address from the Contec CMS8000 devices, allowing the device to download and execute unverified remote files.
“When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device,” CISA noted.
The undisclosed hardcoded IP address is not associated with the vendor or medical facility, but it belongs to a third-party university, which was also unspecified. When the device is turned on, it beacons to this IP and then starts transmitting patient information via an unsecured protocol using port 515.
Three cybersecurity vulnerabilities have been identified. They can be exploited to deny access to the device or to take over the device completely and control it remotely, performing unexpected or undesired actions and corrupting the data.
CISA tested three firmware versions, including the latest one, and all packages were found to be vulnerable.
The FDA is unaware of any cybersecurity incidents, injuries, or deaths related to this vulnerability at this time. However, the authority recommends only using CMS8000's local monitoring features.
“If your patient monitor relies on remote monitoring features, unplug the device and stop using it,” the FDA said.
The FDA also continues “to work with Contec and CISA to correct these vulnerabilities as soon as possible.
Contec has provided firmware updates, but CISA's analysis found the backdoor vulnerability persisting even in the latest pre-release version. For now, there’s no confirmed software patch available to fully address this critical security flaw.
Healthcare organizations are urged to closely monitor the Contec CMS8000 monitors and report any issues to the FDA. This vulnerability highlights the importance of robust medical device cybersecurity measures to protect patient safety and privacy.
The report indicates that the hard-coded IP address associated with the Contec CMS8000 backdoor is not linked to the device manufacturer or any medical facility, but rather, to a third-party university. However, the specific IP address is redacted in the document, so the exact address is not disclosed publicly. This lack of transparency raises concerns about the security implications of the backdoor, as it allows the device to connect to an unverified external source.
Your email address will not be published. Required fields are markedmarked