Security Intelligence
Loading table of contents...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring system, contain a secret backdoor designed to transmit patient data, including patient ID, name, date of birth, and other information like their doctor’s name.
Contec is a China-based healthcare technology company that produces a range of medical devices, including:
- Patient monitors
- Diagnostic tools
- Laboratory instruments
An external researcher first reported the vulnerability found in CMS8000 devices to CISA, which promptly began its own investigation into the device’s firmware. CISA discovered that one of the device's executables, 'monitor,' contains a backdoor designed to transmit plain-text patient data to a hard-coded IP address associated with an unnamed Chinese university upon startup.
Furthermore, none of these activities are logged, ensuring the breach remains undetected by administrators unless they specifically examine the device’s network activity.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
A threat actor can use the backdoor to overwrite files and alter device configurations which could ultimately enable full remote control of the device. Fortunately, CISA advised that it has observed the backdoor attempting to connect to the Chinese university’s IP address via port 515 to send the patient data, but has not observed any successful data transfers.
However, the agency has advised that it does not believe this is an automatic update feature, but rather a backdoor purposely planted in the device's firmware.
CISA has attempted to resolve the issue with Contec, which sent the agency three separate firmware images that were supposed to have removed the backdoor code. However, each firmware version still contained the backdoor, forcing CISA to issue a recommendation that all healthcare organizations disconnect these devices from the network if possible.
Source: Bleeping Computer
Analysis
It’s likely that CISA isn’t disclosing the IP address or the name of the Chinese university it’s associated with due to an ongoing investigation to determine the risk this breach poses and who may have been responsible for it. Disclosing the IP would no doubt lead to significant scans and other activity from researchers and thus interfere with the current analysis that is almost certainly occurring.
It's possible that this backdoor was included in the CMS8000’s firmware to satisfy the Chinese Cyber Security law that compels Chinese companies to provide access to data that transits the device to Chinese law enforcement and intelligence agencies. If so, the backdoor could provide the Chinese government with real-time access to the health situation of any high-profile patient hooked up to a Contec CMS8000, representing a serious privacy breach for affected patients.
Contec CMS8000 patient monitoring device
Worse still, the backdoor could allow for the information the device displays to be manipulated, potentially resulting in doctors and nurses administering improper treatments, ultimately resulting in patient harm.
The revelation of this backdoor will undoubtedly prompt a massive review of code running on similar health monitoring devices manufactured in China to make sure they don’t contain a similar backdoor. It will also likely result in many healthcare providers taking these devices offline until CISA advises the backdoor has been removed and the devices no longer pose a threat.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for emerging threats in internet-connected devices like patient health monitors. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these threats pose.
Field Effect MDR users are automatically notified when activity associated with backdoors is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends that users of these devices cease using them, or at least disconnect them from the internet, until CISA advises that it is satisfied Contec has removed the backdoor. Additionally, organizations should examine network logs associated with these devices to look for connections to external IP addresses via port 515.
If these connections are detected, it’s highly probable that the device contains the backdoor code. If these connections are found to have transferred data to an external IP address, law enforcement and CISA should be informed.
