Cisa warns of Backdoor vulnerability in Contec Monitors

The hidden rear function, built into the firming of the Contec CMS8000 patient monitor, was determined by the US Cybersecurity and Infrastructure Safety Agency (CISA).

Vulnerability, which includes rigidly encoded IP address and potential for unauthorized access to patients, exists in all analyzed versions of the device firmware.

Contec CMS8000 is widely used in medical institutions in the United States and the European Union for monitoring vital signs, including electrocardiogram (ECG), heart rate, blood oxygen levels and other critical performance of patients.

Beckr in medical monitors can disrupt patient care

CISA’s analysis has determined that Backdoor may allow remote code (RCE) and devices modification. If you operate, vulnerability can disrupt monitoring functions and potentially lead to incorrect reactions to life commitments.

The Backdoor feature allows the device to download and execute remote files without checking, bypassing standard security updates.

Discovery implies reports from an independent security researcher who has marked unusual networking. After further analysis, CISA confirmed that the monitor tried to connect to an IP address registered to a third-party university.

CISA has found that patients are automatically transmitted to the same rigidly encoded IP address when running the device.

This transmission occurs through the port 515, usually associated with the Daemon Line Printer (LPD) protocol rather than a standard health data protocol. The absence of encryption and registration of these transmissions increases the risk of confidential information about patients receiving unauthorized entities.

Despite the updating of the supplier software, including version 2.0.8, CISA has confirmed that the Backdoor feature remains present. Although some mitigations were attempts, such as shutdown of certain network interfaces, the main security risks are maintained.

However, Claroi’s cybersecurity firm has stated that Backdoor’s reality is more complicated than it could appear for the first time.

After the CMS8000 firmware research, Claroy researchers, team82, stated most likely not Hidden rearBut instead, uncertain/vulnerable design, which poses a high risk for patients’ monitoring of users and hospital networks.

“This nuance is not an additional intelligence of the threat because it demonstrates the absence of harmful intentions, and therefore changes the priority of correction activities. It is said in a different way, it will most likely not be a campaign of patient data collection and is likely to be an unintentional exposure that can be used to collect information or perform unprotected firmware updates, “the Team82 researchers said.

More about the threats of cybersecurity of medical production: UK Council warns of violation of data after attack on medical supplier

Recommendations for healthcare professionals

CISA and Food and Medicinal Product (FDA) have urged medical professionals to take the following:

• Disable remote monitoring features

• Disconnect the affected devices from network access

• Search for alternative patient monitors if use in offline is not an option

FDA stated that he did not know any reported cases of cybersecurity related to this vulnerability, but advises the institutions to remain vigilant and report any deviations.