Agencies Sound Alarm on Patient Monitors With Hardcoded BackdoorAgencies Sound Alarm on Patient Monitors With Hardcoded Backdoor

Last week, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the US Food and Drug Administration (FDA), raised an alert for Contec CMS8000 and Epsimed MN-120 healthcare monitors, warning they potentially put patients at risk once connected to the Internet, due to a malicious, hidden backdoor embedded into the devices. But security researchers say the issue isn't actually intentional malware but, rather, just insecure design.

The devices continuously monitor patient vital signs, such as heart rate, blood oxygen saturation, temperature, respiration rate, and more. CISA and the FDA reported findings for three cybersecurity risks in the gear thanks to the "backdoor": an unauthorized user could remotely control a monitor and cause it to function in an unintended manner; attackers could compromise the device and pivot to a network; and an attacker could exfiltrate the data that the monitor collects. 

From a patient health perspective, if an attacker were able to manipulate the information the monitor gives patients, that could prevent them from realizing that there's something wrong. Though they reported no known cybersecurity incidents, deaths, or injuries related to the findings, the FDA still provided recommendations for patients and caregivers: talking to healthcare providers about evaluating their patient monitoring device and following certain steps if it does rely on an Internet connection.

Related:The Cyber Savanna: A Rigged Race You Can't Win, but Must Run Anyway

The FDA also tasked healthcare providers with checking their patients' Contec CMS8000 or Epsimed MN-120 patient monitors to determine if they have been functioning unusually.

Patient Monitor Cyber Bug: Not Malicious, Just Problematic

After learning of the alerts, Claroty's Team82 investigated the firmware and reached a different conclusion from CISA and the FDA: It is likely not a hidden backdoor that makes these devices a liability to patients and their medical information, but rather an insecure design that creates a vulnerability open for exploit by threat actors.

The researchers pointed out that the vendors, and any resellers interested in relabeling and selling the monitor publicly, list the IP address on the instruction manuals.

"The CONTEC operator manual specifically mentions this 'hard-coded' IP address as the central management system (CMS) IP address that organizations should use, so it is not hidden functionally as stated by CISA," wrote the Team82 researchers. "This nuance is important because it demonstrates a lack of malicious intent and therefore changes the prioritization of remediation activities."

Related:How Are Modern Fraud Groups Using GenAI and Deepfakes?

The vulnerability still poses real-world consequences, but Noam Moshe, a Team82 researcher, notes that a threat actor would first require knowledge of the device's architecture and protocols. 

"To gain code execution, first the device needs to be put on a system-upgrade process," says Moshe. "From our research, this requires physical access to the device."

After that though, the hardcoded nature of the IP address opens the door to easier exploitation.

"To exploit this vulnerability, an attacker would need to serve devices with malicious binaries on the hardcoded public IP address, giving them code execution on the device," Moshe says. "In the case of the device trying to send personally identifiable information (PII) or personal health information (PHI) to the hardcoded IP address, using the HL7 protocol, this could occur if a certain feature of the device would be enabled."

Healthcare Devices: Monitoring the Threat

Perhaps exploitation of this particular vulnerability doesn't seem all that likely, but medical devices have been a point of cyber contention for years.

All the way back in 2011 for instance, Jay Radcliffe took to the Black Hat USA stage to show the audience how insulin pumps like the one he wore could be hacked, in a presentation entitled "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System."

Related:Backline Tackles Enterprise Security Backlogs With AI

And as healthcare institutions are ravaged by ransomware attacks compromising their resources and putting patient lives at risk, many medical devices still haven't caught up when it comes to bolstering cybersecurity guardrails. Specifically, many of them are aging and running legacy software that hasn't been updated in years, offering plenty of holes for attackers.

However, agencies like the FDA are pushing companies to make strides, such as in 2023 when it began to reject medical devices that don't comply with recent cybersecurity regulation.

But there is still a long way to go: In 2024, researchers cited healthcare and the Internet of Medical Things (IoMT) as the riskiest device sector, even it did have the biggest decline overall in the number of risky devices deployed.

As for the patient monitor, Team82 researchers recommend that healthcare organizations take steps to protect patients, such blocking all access to the subnet from their internal network, and blocking devices attempting to upgrade firmware from a WAN server or potentially send PII.

"Hospitals should implement vulnerability detection and patching processes," Moshe says, "alongside network segmentation, driven by high-quality passive visibility that will ensure the most secure network layout."