Last month came across a document released by US cyber defence agency and never really got time to look into in detail. I think this deserves more attention. It details that a patient monitor Contec CMS8000, used in many hospitals to track vitals like heart rate and oxygen levels, contains a firmware backdoor.
This backdoor is hardcoded into the device. When it powers on, it quietly tries to connect to a specific IP address not owned by Contec, but a university in China. Once connected, it mounts a remote file system and copies files into critical system directories, overwriting whatever is already there. There’s no integrity check, no version tracking, and no logging. The device just accepts and runs whatever it gets.
Technically, this is done using standard Linux commands like “ifconfig eth0 up” to enable the network, then “mount -t nfs” to reach the remote server, followed by “cp -rf” to replace files. These commands essentially hand over control of the device to whoever controls that IP. Even worse, patient data like ECG, SpO2, and blood pressure is transmitted to that same IP address over port 515 (normally used for old printer systems), not even using proper medical protocols. There’s no encryption, no authentication, just raw patient data streamed out. Meaning, if a remote handler wants, they can get your full data without any fuss. They can also just show any random readings/waveforms on screen with the backdoor. To me, this isn’t just a firmware bug. It’s really badly coded feature or more likely a backdoor for future remote access.
BTW this a white label device sold even in India under different resellers and brand names. Search for similar images on Indiamart or similar, you will get them. I don’t think anyone in India cares where their data ends up. Not sure why there isn’t any media outcry against this locally.
Anyway, if anyone from any hospital IT team is reading this and has this device (or any from its family), please remove network connectivity of this device. In an age where we trust machines with lives, we need to ask: who controls the code inside the box?
0 Comments
Comments are closed.