Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Cyber security researchers say that the security alerts concerning Contec CMS8000 devices – which are used in Australia – reflect a more complex reality.
The US Cybersecurity Infrastructure and Security Agency (CISA), backed by the Food and Drug Administration (FDA), released an alert late last month warning of a backdoor reporting to a Chinese IP address in a family of Chinese-made patient monitoring devices.
CISA warned healthcare providers that Contec CMS8000 – widely used around the world, including in Australia – patient monitor and its variants featured “hidden” backdoor functionality and that the device “can create conditions which may allow remote code execution and device modification with the ability to alter its configuration”.
However, researchers at cyber security company Claroty have a different opinion.
According to Claroty’s Team82, the issue with the Contec devices is not a malicious backdoor, but rather a design flaw. The device’s operating manual references the hard-coded IP address, explaining that it links to the Central Management System – the functionality is not hidden at all, despite what CISA and the FDA claim.
It’s still a dangerous issue, however, and could pose a risk to patient data.
“Absent additional threat intelligence, this nuance is important because it demonstrates a lack of malicious intent, and therefore changes the prioritisation of remediation activities,” Claroty’s researchers said.
“Said differently, this is not likely to be a campaign to harvest patient data and more likely to be an inadvertent exposure that could be leveraged to collect information or perform insecure firmware updates.
“Regardless, because an exposure exists that is likely leaking PHI randomly or could be used in some scenarios for malicious updates, the exposure should be remediated as a priority.”
Claroty recommends blocking access to the subnet 202.114.4.0/24 from their internal network and blocking unplanned firmware upgrades from external sources. In addition, where possible, the default IP address should not be used, and if it must be used, network segmentation and/or static routing should be employed to limit external traffic.
Finally, given the vulnerable code running on the devices, Claroty recommends that replacing them – if possible – may be the best issue.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
