2025-01-31
FDA and CISA Warn of Backdoors in Contec and Epsimed Patient Monitors
The US Food and Drug Administration (FDA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published documents advising that firmware in some Contec and Epsimed internet-connected patient monitors contain a hardcoded credential backdoor that could be exploited to put patient safety at risk. The backdoor could allow attackers to alter device configurations. The publications also note that the devices collect patient data, including protected health information and personally identifiable information, allowing exfiltration of the data 'outside of the health care delivery environment.' The issue affects Contec CMS8000 patient monitors and Epsimed MN-120 patient monitors. The FDA document includes recommendations for patients and caregivers, healthcare providers, and health care facility staff, including information technology (IT) and cybersecurity staff.
Editor's Note
These devices belong to that large population of appliances that should never be visible to the Internet, where any who may have implemented such backdoors can see and exploit them. Rule 1 is "a device must be able to protect itself from all traffic on any network to which it is attached." Rule 2 is "developers cannot be relied upon to implement Rule 1."

William Hugh Murray
Hardcoded credentials are the gift that keeps on giving. As seductive as hardcoded credentials are, just say no, make sure you're not only checking for developer use of them but also any acquisitions as well. If you have a patient monitor, ask your healthcare provider if it allows for remote monitoring. If it does, the FDA is suggesting a replacement be obtained without that functionality, with only authorized wired connections for patient monitoring, but even so there are monitors with unauthorized wireless connections which are in use.

Lee Neely
This may be one of the very few times where a vendor/government has been caught red-handed. The vendor may have been operating on behalf of the government or collecting data for other business purposes ~ we don't really know. The hardcoded credential is one thing, but the hardcoded IP address, lack of logging, and use of port 515 are not explainable. Regardless, it's a violation of patient privacy and customer rights. The question becomes what you do about it. Contec is a global provider, often relabeling their products under different brand names, so there may not be sufficient competition in this market.

Curtis Dukes
I did a BSides Orlando Keynote in 2015 on regulations and how we can expect them at some point. One of those slides included a talk on Healthcare; given my background in Healthcare IT, I thought I would mention that if someone hacked one of those machines, we wouldn't have much forensic information about it. Well, I never thought I'd see an example of a backdoor or potential backdoor in a healthcare device, but here is one. Now comes the question: what exactly can this do, what was its intended purpose, and is it even nefarious given it will be beaconing to a university? I'm not sure we have all the answers, but this is fascinating.

Moses Frost
Read more in
CISA: Contec CMS8000 Contains a Backdoor
The Record: FDA, CISA warn of backdoor in popular patient monitor used by US hospitals
The Hacker News: CISA and FDA Warn of Critical Backdoor in Contec CMS8000 Patient Monitors
Bleeping Computer: Backdoor found in two healthcare patient monitors, linked to IP in China
SC World: Backdoor in Contec CMS8000 monitors may allow faulty patient readings
Security Week: CISA, FDA Warn of Dangerous Backdoor in Contec Patient Monitors
Help Net Security: Patient monitors with backdoor are sending info to China, CISA warns