Contec CMS8000 patient monitors pose data security risk, experts warn

The Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration have issued security alerts regarding the Contec CMS8000 patient monitors, indicating potential vulnerabilities in the devices produced in China.

The alerts suggest that these monitors, commonly used in healthcare settings for human vital sign monitoring, contain a backdoor linked to a Chinese IP address. The concern is that there is a "hidden functionality," pointing to a hardcoded IP address in China, which enables outbound communication for patient data and firmware updates, thereby posing a security risk.

However, cybersecurity researchers from Claroty have delved into the matter and suggested a different interpretation of the findings. These experts believe that the issue may not stem from a deliberate backdoor mechanism but rather from an insecure or vulnerable design in the patient monitors. Their investigation highlighted significant cyber risks to users and hospital networks due to this design flaw, which could allow unauthorised remote control of the monitors and exfiltration of sensitive patient data.

Claroty researchers stated, "This is not likely to be a campaign to harvest patient data and more likely to be an inadvertent exposure that could be leveraged to collect information or perform insecure firmware updates. Regardless, because an exposure exists that is likely leaking PHI randomly or could be used in some scenarios for malicious updates, the exposure should be remediated as a priority."

The reports underscore the necessity for healthcare providers using these devices to address the vulnerability promptly. Claroty has provided specific instructions and recommendations for mitigating the risks associated with the use of these patient monitors.

Team82, the research body within Claroty, performed an in-depth analysis of the firmware and found evidence to support their claim that it is an insecure design issue rather than a hidden backdoor. Team82 noted that the vendor and resellers have documented the use of these IP addresses in their manuals, advising the configuration of the Central Management System (CMS) with them, thus refuting the "hidden functionality" claim.

The investigation by Team82 included a presentation at Claroty's 2022 Nexus Conference, where they demonstrated a proof of concept highlighting the vulnerability exposed in the Contec CMS8000 monitors.

The alerts from CISA and the FDA had stated that these monitors "can create conditions which may allow remote code execution and device modification with the ability to alter its configuration," potentially impacting patient safety due to inaccurate responses to displayed vital signs.

Claroty's analysis concluded that there is no substantial threat intelligence pointing to a campaign aimed at data harvesting, rather indicating an inadvertent data exposure risk. Nonetheless, the exposure could still lead to patient data leakage or be potentially abused for malicious firmware updates, stressing the need for urgent mitigation.

Healthcare organisations are advised to block access to the subnet 202.114.4.0/24 from their internal networks to prevent firmware upgrades via a wide area network server or the transmission of personally identifiable information. Additionally, reviewing the default network configurations and applying robust network segmentation are recommended measures to safeguard against these vulnerabilities.