- The CISA issues a warning on the Chinese manufacturing instructor in calmly relay of sensitive data
- Several devices have been found carrying malicious code in firmware
- The company has tried and failed to approach the fault
At least three health devices built by Chinese manufacturers were found with firmware deadlines that apparently relay sensitive information to a Chinese university.
The American Cybersecurity and Infrastructure Safety Agency (CISA) recently issued a warning concerning the CMS8000 Content, a patient instructor used in hospitals and clinical environments to follow vital signs such as ECG, Blood pressure, oxygen saturation (SPO₂), respiratory frequency and temperature.
The agency said that an independent researcher discovered that the device was engaged in malicious activity, connecting to an external hard code IP address. Bleeping Compompute managed to determine that the IP address belonged to a “Chinese university”, but did not say which one.
No patch
The researchers then discovered that the malicious activity was linked to a stolen door planted in the firmware, which would download and quietly perform files on the device. The stolen door would allow unknown third parties the possibility of performing remote programs, taking care of patient monitors and sending data to patients across the pond. The activity was not recorded either, stealing under the radar of computer administrators, managing the devices.
A more in -depth survey revealed that the same IP address had been discovered in software for other medical equipment, including a monitor of pregnancy patients from another Chinese health manufacturer, added Bleeping Computer. The FDA said that it had also found it in the monitors of the patient MN-120 EPSIMED (Contec CMS8000 devices essentially renamed).
The CISA contacted Contec, informed it of the stolen door, and the company returned with “several firmware images” which were supposed to mitigate the problem. However, each of the firmware updates has not solved the problem properly, allowing the stolen door to continue to work.
Since the vulnerability has not yet been fully treated, Cisa has urged all users to disconnect the wider network termination points if possible.
Via Bleeping Compompute
