On January 30, the U.S. cybersecurity agency CISA published an alert about a backdoor in medical monitoring monitors, which was supplemented by a notification from the U.S. Food and Drug Administration (FDA).
According to the report, the Chinese-made Contec CMS8000 medical monitoring monitor and OEM white-label variants contain a backdoor that communicates with a Chinese IP address. Security researchers at Team82, the research division of cyber-physical systems (CPS) security specialist Claroty, examined the firmware and concluded that it is most likely NOT a hidden backdoor, but an insecure/vulnerable design that poses a major risk to patient monitor users and hospital networks.
Medical monitoring monitor with firmware leak
This assumption is supported by the fact that the manufacturer and resellers list the relevant IP address in their manuals and instruct users to configure the Central Management System (CMS) with this IP address on their internal networks. This is therefore likely not a campaign to intercept patient data, but rather an unintended compromise that could be used by cybercriminals to collect information or perform insecure firmware updates. Nevertheless, the vulnerability should be remedied as a priority.
Expert recommendations
- It is strongly recommendedthat companies using this patient monitor block any access to the 202.114.4.0/24 subnet from their internal network. This can prevent the devices from attempting to update their firmware from a WAN server or transfer sensitive data.
- On some OEM models of the CONTEC CMS8000 it is possible to change the default network configuration of the CMS. If this is possible, the default IP address 202.114.4.119 should not be used.
- If you are stuck on the hard-coded IIf you rely on the P-address 202.114.4.119 for monitoring and updates, security experts recommend using static routes and/or network segmentation to ensure that this traffic is only directed to your own CMS and not outwards.
- If the HL7 functionality of the patient monitor, all outgoing network traffic to 202.114.4.120 should be blocked to prevent possible data leakage.
About Claroty Claroty, the Industrial Cybersecurity Company, helps its global customers discover, protect and manage their OT, IoT and IIoT assets. The company's comprehensive platform can be seamlessly integrated into customers' existing infrastructure and processes and offers a wide range of industrial cybersecurity controls for transparency, threat detection, risk and vulnerability management and secure remote access - with significantly reduced total cost of ownership.
Matching articles on the topic