News Backdoor uncovered in China-made patient monitors — Contec CMS8000 raises questions about healthcare device security

Toggle sidebar Toggle sidebar
I think any computer hardware, no matter where it's made, has the potential for "backdoors". Most governments wouldn't be able to resist the temptation. For consumers, there is no way of getting around it.
 
  • Like
Reactions: artk2219
"it doesn't mention the university, the IP address, or the country it is sending data to"

It doesn't sound like they're too sure of their findings.
 
  • Like
Reactions: artk2219
KennyRedSocks said:
"it doesn't mention the university, the IP address, or the country it is sending data to"

It doesn't sound like they're too sure of their findings.
Click to expand...
That selective quotation really makes you look like you have an agenda here. Here is the part you cut out with that quoting
"The agency mentions the IP address is not associated with any medical device manufacturer. Still, it is a third-party university, though it doesn't mention the university, the IP address, or the country it is sending data to. The CISA also ruled out this coding was meant to be an alternative update system as it does not contain standard update procedures such as tracking updated versions or doing integrity checks. Instead, it has the remote file shared and transmitted to the IP address."

They know what it is but have not shared it. Stop it.
 
  • Like
Reactions: spongiemaster, SunMaster, jp7189 and 8 others
ezst036 said:
Of course they found a back door. They'll find others.

We live in an age where information is more valuable than money and China knows they need to have all the information.
Click to expand...
The fact that it's using a fixed IP address to a university smells like 2 possibilities :
1- early debug/qualification code that wasn't removed at the end of the qualification program (any code modification requires validation when it's for medical devices - that enables deactivating such remote access)
2- cheap way for a university to get samples data.
If it were a real back door, it would have been obfuscated, and if it were for a state agency, it would not point to a public facility.
Also, this kind of 'attack' is easy to circumvent : block non-approved IP addresses in outbound traffic.
 
  • Like
Reactions: NinoPino
mitch074 said:
Also, this kind of 'attack' is easy to circumvent : block non-approved IP addresses in outbound traffic.
Click to expand...
For reliable devices, that should net be needed.
Whatever the reason, why is it there?

Just like with inexpensive security camera things...a hardcoded admin pwd, that you, the buyer, has no influence over.
Left there by clueless/incompetent devs, or on purpose to extract data.
 
  • Like
Reactions: P.Amini
Dr3ams said:
I think any computer hardware, no matter where it's made, has the potential for "backdoors". Most governments wouldn't be able to resist the temptation. For consumers, there is no way of getting around it.
Click to expand...

Yep but this actually, contains a backdoor. Sending private or confidential information, such as name of the doctor, the patient and all that, to a unknown source.

Company's need to double packet sniff check all the outgoing data from such places.
 
USAFRet said:
For reliable devices, that should net be needed.
Click to expand...
Here I do not agree, network filtering should be done for any device.
In the case of a medical monitoring tool, "reliable" does not imply "IT secure".

USAFRet said:
Whatever the reason, why is it there?
Click to expand...
@mitch074 give some plausible examples.

USAFRet said:
Just like with inexpensive security camera things...a hardcoded admin pwd, that you, the buyer, has no influence over.
Left there by clueless/incompetent devs, or on purpose to extract data.
Click to expand...
Agree.
 
  • Like
Reactions: mitch074
So:
  1. On startup, the device connects to a NFS share and blindly copies/overwrites local files. ANYTHING could be installed this way.
  2. During normal operation, patient data is constantly being sent to the remote server using a custom protocol.

9isb62.jpg
 
  • Like
Reactions: subspruce
USAFRet said:
For reliable devices, that should net be needed.
Whatever the reason, why is it there?

Just like with inexpensive security camera things...a hardcoded admin pwd, that you, the buyer, has no influence over.
Left there by clueless/incompetent devs, or on purpose to extract data.
Click to expand...
see point 1 in the comment you (selectively) quoted.
 
mitch074 said:
see point 1 in the comment you (selectively) quoted.
Click to expand...
"1- early debug/qualification code that wasn't removed at the end of the qualification program (any code modification requires validation when it's for medical devices - that enables deactivating such remote access)"

Exactly.
Failure to remove that smacks of clueless dev process and validation.
 
USAFRet said:
"1- early debug/qualification code that wasn't removed at the end of the qualification program (any code modification requires validation when it's for medical devices - that enables deactivating such remote access)"

Exactly.
Failure to remove that smacks of clueless dev process and validation.
Click to expand...
Yeah. As if no company (including US ones) had ever been guilt-free of such.
 
So if the evidence is accurate, in the USA all these devices will be ordered to be removed from usage, but they won't and a mass sue ball at the company. They will plead ignorance, offer a few million to the lawyers and whoever and change the code, but medical companies will be too lazy to upgrade devices and cost too much, so will probably just block IP and let it get swept under the rug.

In EU, they will be given a stay and ordered to change code and probably will, and company gets a fine for GDPR breach.

In UK, they will be given a stay and ordered to change code, they won't as UK regulator toothless, NHS has no cash to update them and Government will just IP blocked and the company will win a new contract to replace them at twice the price at the next procumbent funding meeting, as some locla MP will demand we buy British, as the company rent a broom cupboard in his constituency, even if everything is built in China and foreign owned company.
 
  • Like
Reactions: snemarch
das_stig said:
So if the evidence is accurate, in the USA all these devices will be ordered to be removed from usage, but they won't and a mass sue ball at the company. They will plead ignorance, offer a few million to the lawyers and whoever and change the code, but medical companies will be too lazy to upgrade devices and cost too much, so will probably just block IP and let it get swept under the rug.

In EU, they will be given a stay and ordered to change code and probably will, and company gets a fine for GDPR breach.

In UK, they will be given a stay and ordered to change code, they won't as UK regulator toothless, NHS has no cash to update them and Government will just IP blocked and the company will win a new contract to replace them at twice the price at the next procumbent funding meeting, as some locla MP will demand we buy British, as the company rent a broom cupboard in his constituency, even if everything is built in China and foreign owned company.
Click to expand...
I suppose, nothing relevant will happen, just a normal software/firmware upgrade.
Without forgetting, that the problem exists only if they are directly connected to the internet, without protection.
 
SunMaster said:
You left out the ethical aspect.
Click to expand...
That's not under the definition of "pathetic" . And if we're talking ethical, then exactly which government is clean in that regard?

--------
Pathetic
adjective

1.
arousing pity, especially through vulnerability or sadness.
"she looked so pathetic that I bent down to comfort her"

2.
miserably inadequate; of very low standard.
"he's a pathetic excuse for a man"
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom