Data Privacy
,
Data Security
,
Endpoint Security
Researcher Jason Sinchak on Recent Cyber Warnings About Contec CMS8000 Devices
A hidden reverse backdoor in low-cost vital sign monitors used globally in patient homes and healthcare settings is hardcoded with an IP address connecting to a Chinese government-funded education and research network, which poses serious potential privacy, safety and other concerns, said security researcher Jason Sinchak of ELTON.
See Also: From Silos to Synergy: Gen AI Aligns IT and Security Teams
The hidden reverse backdoor, along with two other vulnerabilities, were the subjects of recent cyber alerts from the U.S. Food and Drug Administration and the Cybersecurity Infrastructure and Security Agency (see: Attackers Could Gain Control of 2 Flawed Patient Monitors).
“We have never seen a product that would take a software update from a remote location that was in source code by default.”
– Jason Sinchak, co-founder and CEO, ELTON
While Sinchak did not discover these most recent vulnerabilities in the Contec CMS8000 and the Epsimed MN-120 patient monitor – both manufactured by China-based Contec Medical Systems – he previously identified other serious vulnerabilities in those same products (see: CISA Warns of Contec Patient Monitoring Device Flaws).
The latest issues – and especially the hidden reverse backdoor in the Contec CMS8000 – are very concerning, he said.
“We haven’t seen an issue just like this before – we’ve seen something similar where there might have been issues with the firmware update process. Or maybe it wasn’t totally secure,” he said. “But we have never seen a product that would take a software update from a remote location that was in source code by default,” he said in a video interview with Information Security Media Group.
“Any product of this characteristic – a low price point and potentially low quality from a software development perspective – you tend to question what’s going on there and who’s manufacturing it, and what that means for that particular nation, as far as being able to affect that product,” he said.
The FDA and CISA have recommended that users of the affected patient monitors disable internet connectivity to their devices. So far, no patches have been made available by the vendor.
While physiologic monitors, such as the affected Contec CMS8000 devices, do not provide life-saving or life-sustaining treatment, they are essential to monitor the condition of at-risk patients, said Phil Englert, medical device security vice president at the Health Information Sharing and Analysis Center.
“Patient monitors are monitored centrally to promptly notify caregivers of changes in a patient’s condition. Rapid response can be the difference between a good outcome and a bad outcome,” Englert said.
“Healthcare providers are encouraged to evaluate the risks and potential impacts to clinical workflow and clinical outcomes before making changes to the connectivity of monitoring systems,” he said. “If connectivity is maintained, ensure adequate network access controls, segmentation and network traffic monitoring are in place to prevent, detect, and respond to unexpected communications or network activity,” he suggested.
Contec did not respond to any of Information Security Media Group’s questions about the hidden reverse backdoor and the other two vulnerabilities, which includes out-of-bounds write and privacy leakage – referring ISMG to look at the FDA’s safety notice about the issues.
CISA declined ISMG’s request for additional details pertaining to the agency’s findings about the Contec CMS8000 backdoor.
The FDA’s supply chain analysis showed that Contec overall is not a major supplier in the patient monitor market, the FDA said in a statement to ISMG.
Nonetheless, the low-cost monitors – which can be purchased online by resellers such as eBay and Amazon – are used in patient homes, healthcare settings and veterinary clinics in the U.S., EU and elsewhere.
“The FDA takes seriously any reports of cybersecurity vulnerabilities in medical devices and will continue to work with CISA on these matters. The FDA is engaging with Contec to address these vulnerabilities as soon as possible. The FDA will assess new information concerning the vulnerabilities and will keep the public informed if significant new information becomes available,” the FDA said.
“The FDA is currently unaware of any evidence that these vulnerabilities exist in other devices. If the FDA becomes aware of such evidence, the FDA will respond, as it did in this case.”
In the video interview, Sinchak also discusses:
- Implications of the hidden backdoor in the Contec CMS8000 for patient safety, privacy and other issues;
- Challenges in mitigating the vulnerabilities identified in the Contec CMS8000;
- Other emerging medical device cybersecurity and related regulatory developments.
Sinchak is co-founder and CEO of medical device cybersecurity firm ELTON. His career is rooted in ethical hacking including testing the limits of security across financial institutions and government systems. For the past decade, Sinchak has been focused on securing operational technology and medical devices.