CISA Warns of Possible Backdoor in CMS8000 Patient Monitoring Devices

CISA is warning hospitals and other health care providers about what it calls a backdoor in Contec CMS8000 patient monitors, which are manufactured by a Chinese technology company, saying that a hard-coded IP address for updates and other functionality could be an avenue for remote code execution. However, researchers who have disassembled the device and analyzed the firmware say the functionality is likely just a poor design choice rather than an intentional backdoor. 

Why It Matters: The CMS8000 provides continuous monitoring of patients’ heart rate, blood oxygen, pulse, and other vital signs and is used in many hospitals and other health-care facilities across the United States and elsewhere. Three versions of the device’s firmware include a hardcoded IP address located in China that can be used to copy files to remote devices. “CISA assesses that inclusion of this backdoor in the firmware of the patient monitor can create conditions which may allow remote code execution and device modification with the ability to alter its configuration. This introduces risk to patient safety as a malfunctioning patient monitor could lead to an improper response to patient vital signs,” the CISA fact sheet says. In the function discovered by the research team, individual files are copied from the remote share to the device’s local filesystem. The copy mechanism automatically overwrites existing files on the device. No integrity verification mechanism, such as code signing verification, is performed before the copy occurs.” The IP address is registered to an educational institution in Shanghai rather than Contec itself.

Key Details

• The issue is found in at least three versions of the firmware: version 2.0.6, a pre-release image of version 2.0.8, and a pre-release image of an unnumbered version.

• Contec sells the CMS8000 under its own brand as well as through third parties who relabel the devices

• The functionality in question has the ability to send real-time patient data from the device and connected peripherals to the IP address that is used to mount a remote NFS share as part of the configuration process. When the CMS8000 completes its startup routine, it will automatically beacon to the same IP address that is hard-coded into the backdoor function. Once a connection is established, patient information is then transmitted via port 515 to the IP address,” the CISA fact sheet says. Port 515 is normally used for remote communications with printers. “If the routine to connect to the hard-coded IP address and begin transmitting patient data is called, it will automatically initialize the eth0 interface in the same manner as the backdoor. This means that even if networking is not enabled on startup, running this routine will enable networking and thereby enable this functionality,” the fact sheet says. 

Context

Researchers from Claroty’s Team 82 extracted the firmware from the CMS8000 and looked at the functionality cited by CISA’s alert and concluded that the inclusion of the hardcoded IP address for file transfer and updates looks more like a poor design choice than a backdoor. The IP address is included in the documentation for the device and listed as the IP address for the Central Management System.

“Absent additional threat intelligence, this nuance is important because it demonstrates a lack of malicious intent, and therefore changes the prioritization of remediation activities. Said differently, this is not likely to be a campaign to harvest patient data and more likely to be an inadvertent exposure that could be leveraged to collect information or perform insecure firmware updates. Regardless, because an exposure exists that is likely leaking PHI randomly or could be used in some scenarios for malicious updates, the exposure should be remediated as a priority,” the Claroty analysis says.

Mitigation

Regardless of whether the functionality is an intentional backdoor or a poor design choice, it’s a security concern for customers. CISA and the Food and Drug Administration recommend that organizations disable the remote monitoring functionality or unplug and stop using the devices immediately. Claroty also recommends that organizations block all access to the 202.114.4.0/24 subnet. 

“These patient monitors are still running vulnerable code that will always be attempting to connect to an externally routable IP address, so it is recommended to replace them with a more secure device unless the vendor modifies firmware to prevent this action in the future,” the Claroty researchers said.