Backdoor in healthcare patient monitors

PatrickFarrell · 2025-01-31T05:00:43.321Z

CISA is reporting that Contec CMS8000 medical devices are connecting with a hard coded IP outside of the US (suspected to be in China) and both sending patient data and downloading code. Several updates that were supposed to have fixed this “issue”, have not done so. The same IP is also hard-coded in other medical equipment.

BleepingComputer

Backdoor found in two healthcare patient monitors, linked to IP in China

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads...

There are currently no patches and the recommendation is remove the devices from the network.

jarmbrister · 2025-01-31T14:19:33.319Z

I’m not in the Healthcare field personally, but there doesn’t seem to be a valid reason for these monitors to have a route to the Internet in the first place. Legitimate firmware updates, perhaps, but not for day-to-day operations.

I would prefer them be limited to local access only. They can still send telemetry to the nurse station. If I was a network admin in a hospital I’d be blocking that hard coded IP at the firewall right away.

ich-ni-san · 2025-01-31T14:27:03.097Z

That’s kind of a “Wow” story.

I wonder why they’re not sharing that IP address. It seems it might be a good idea to block all traffic to/from that IP address. I think I’d at least want the option.

jarmbrister · 2025-01-31T14:34:11.597Z

This lends itself to a discussion that I’m sure has been thrown around before. Before allowing a new device (from any manufacturer) on your production network, is there value in connecting it to a sandboxed environment first to observe its behavior?

It would be a lot more effort than simply plugging it in and hoping for the best, but a separate switch or VLAN with port mirroring and Wireshark would rat out something phoning home unexpectedly. Maybe even leave it that way for a few days in case the manufacturer includes a time delay?

phildrew · 2025-01-31T16:57:17.985Z

I would hope that hospitals have basic deny all rules (forcing allow-listing) on the firewalls for their medical devices… I’m probably hoping up the wrong tree.

Allowing NFS, or LPD out to the Internet makes no sense from an operations standpoint - unless that’s something those devices have a documented NEED to do.

While bad that the manufacturer was unable to remove the code (who knows how hard they were actually trying), I find it far more troubling that healthcare facilities would have such a callous approach to network security/patient data in the first place.

jarmbrister · 2025-01-31T17:44:52.690Z

phildrew:

I find it far more troubling that healthcare facilities would have such a callous approach to network security/patient data in the first place.

All the healthcare systems that have been in the news after untold numbers of patients’ PII has been stolen might suggest that security isn’t their topmost priority. That said, end users, bean counters (“Do we really need the Philips brand? This one on Amazon/Temu is half the cost.”), and the fact that they are very high-value targets doesn’t help.

OscarOneEye · 2025-02-01T02:34:18.500Z

I am in Health Care. By default any new device (with the exception of PC’s since they go through a proxy) has access to nothing. All access has to be requested on a per IP/PORT basis.

I know that it may not be the way other organizations work, but with everything being IoT now, I think that everyone needs to tighten security. Not just Health Care.

PatrickFarrell · 2025-02-01T05:09:05.318Z

jarmbrister:

This lends itself to a discussion that I’m sure has been thrown around before. Before allowing a new device (from any manufacturer) on your production network, is there value in connecting it to a sandboxed environment first to observe its behavior?

It would be a lot more effort than simply plugging it in and hoping for the best, but a separate switch or VLAN with port mirroring and Wireshark would rat out something phoning home unexpectedly. Maybe even leave it that way for a few days in case the manufacturer includes a time delay?

The smarter back doors will wait to send data. They may have it until it waits until it sees what looks like actual patient data for a certain period of time, maybe weeks or months before sending.

Point being, these should never be allowed to talk to the internet to begin with.

t3chl3ad3r · 2025-02-02T22:12:11.041Z

With the way the “smart” device trend is heading, IoT security issues will keep compounding. Only a matter of time before these issues come up with more critical medical devices, cars, etc.

blake-murphy · 2025-02-02T22:50:03.156Z

Completely!! Security is not the priority of the facility managers (board members). Getting technology cheap is, as well as reducing staff numbers.
I used to work in a very broad healthcare role & out of the hundreds of facilities I have visited, only one company/brand had a network manager or even onsite tech support.
This singular company, runs all tech from a central location (for the country) & they only support 3 network engineers…
All others, just bought software packages from various vendors & choice was based upon the features that bought savings.

jameswalker20 · 2025-02-03T18:38:47.052Z

I work in healthcare at modalities are on their own VLAN with no Internet access. Due to FDA regulations, they are rarely patched. Sometimes running a vulnerable OS.

Ethan6123 · 2025-02-05T23:47:40.384Z

A month or so ago we received a notification the vendor providing our medication distribution cabinets (name rhymes with Myxis) hardcoded administrator passwords into their software.

Their proposed short-term fix? Don’t let non-employees touch the medication cabinets.

Brilliant! Why didn’t we think of that?

Because it takes forever for medical vendors to get their software certified we’re still waiting for the update to remove the hardcoded passwords.