Table of Contents
Functionality in the device firmware sends patient data to a hardcoded IP address that also downloads and executes binary files without the owner’s knowledge.
US federal agencies have warned that a popular Chinese-made patient monitor device used in medical settings across the US and Europe has a built-in backdoor that leaks patient data to an unauthorized remote server. The backdoor, present also in a rebranded version of the device, also allows the remote server, which appears to belong to a university, to execute unauthorized code on the device.
According to a safety advisory from the US Food and Drug Administration (FDA), which authorizes medical devices for use in the US, the affected patient monitors are the Contec CMS8000 and the Epsimed MN-120, a relabeled version of the Contec device. The devices are used to monitor patients’ vital signs, including electrocardiogram, heart rate, blood oxygen saturation, noninvasive blood pressure, temperature, and respiration rate.
Contec Medical Systems is one of the largest Chinese medical device manufacturers with headquarters in Qinhuangdao and subsidiaries in Chicago, Dusseldorf, and New Delhi. In addition to patient monitors, the company produces a wide range of medical products, such as pumps, ultrasound systems, endoscopes, respiratory aids, EEG and EMG systems, diagnostics devices, and more.
CISA analysis reveals backdoor functionality
The backdoor was discovered by the US Cybersecurity and Infrastructure Security Agency (CISA) after it received a report about a vulnerability in Contec CMS8000 from an external researcher.
In reviewing the vulnerability report, CISA researchers analyzed the device’s firmware, which led to the discovery of suspicious functionality inside the firmware code that reached out to a hardcoded IP address. That IP address was not registered to the device manufacturer or a medical facility; instead, it appears to belong to a third-party university. CISA did not disclose the IP address nor the name of the university in its report.
The CISA team found that a binary called monitor, shipped with the Linux-based firmware of the device, had functions that first enabled the eth0 network interface on the device, then attempted to mount a remote directory from the hardcoded IP address over the NFS protocol.
The remote folder is mounted locally as a directory called /mnt, after which the application checks whether a file called monitor is present in the directory. If the file exists, another command is issued to copy all the files from the directory to the local /opt/bin directory, overwriting all files with the same name are already present there. Another command is then issued to copy a file called /opt/bin/start to /opt/startmonitor and then copy other files in other locations on the file system.
“By reviewing the firmware code, the team determined that the functionality is very unlikely to be an alternative update mechanism, exhibiting highly unusual characteristics that do not support the implementation of a traditional update feature,” CISA said in its analysis report. “For example, the function provides neither an integrity checking mechanism nor version tracking of updates. When the function is executed, files on the device are forcibly overwritten, preventing the end customer — such as a hospital — from maintaining awareness of what software is running on the device.”
In addition to this hidden remote code execution behavior, CISA also found that once the CMS8000 completes its startup routine, it also connects to that same IP address over port 515, which is normally associated with the Line Printer Daemon (LPD), and starts transmitting patient information without the device owner’s knowledge.
“The research team created a simulated network, created a fake patient profile, and connected a blood pressure cuff, SpO2 monitor, and ECG monitor peripherals to the patient monitor,” the agency said. “Upon startup, the patient monitor successfully connected to the simulated IP address and immediately began streaming patient data to the address.”
Upon contacting the vendor about the issue, CISA first received a supposed patched firmware image for validation in November and then another in December. In the last firmware version, 2.0.8, the vendor removed the line that enabled the eth0 interface from the operating system’s startup scripts but left the backdoor code inside the monitor binary.
This strategy does not mitigate the vulnerability, because the backdoor code explicitly re-enables eth0 before it mounts the remote directory, CISA said.
Mitigation
Because there is no patch available, the FDA recommends disabling all remote monitoring functions by unplugging its ethernet cable and disabling Wi-Fi or cellular connections if used. This affects both patients who use affected devices in a home setting and health providers who use Contec CMS8000 or Epsimed MN-120 devices in their facilities.
Furthermore, the FDA recommends the device be used only for local in-person monitoring. If remote monitoring by a healthcare provider is needed, a different patient monitoring device from a different manufacturer should be used.
See also:
- 6 biggest healthcare security threats
- DNA sequencer vulnerabilities signal firmware issues across medical device industry
