America's FDA Warns About Backdoor Found in Chinese Company's Patient Monitors (fda.gov) 19
Thursday America's FDA "raised concerns about cybersecurity vulnerabilities" in patient monitors from China-based medical device company Contec "that could allow unauthorized individuals to access and potentially manipulate those devices," reports Reuters.
The patient monitors could be remotely controlled by unauthorized users or may not function as intended, and the network to which these devices are connected could be compromised, the agency warned. The FDA also said that once these devices are connected to the internet, they can collect patient data, including personally identifiable information and protected health information, and can export this data out of the healthcare delivery environment.
The agency, however, added that it is currently unaware of any cybersecurity incidents, injuries, or deaths related to these identified cybersecurity vulnerabilities.
The FDA's announcement says "The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised." And it offers this advice to caregivers and patients: If your health care provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
If your device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. This means unplugging the device's ethernet cable and disabling wireless (that is, WiFi or cellular) capabilities, so that patient vital signs are only observed by a caregiver or health care provider in the physical presence of a patient. If you cannot disable the wireless capabilities, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
A detailed report from CISA describes how a research team "created a simulated network, created a fake patient profile, and connected a blood pressure cuff, SpO2 monitor, and ECG monitor peripherals to the patient monitor. Upon startup, the patient monitor successfully connected to the simulated IP address and immediately began streaming patient data..." to an IP address that hard-coded into the backdoor function. "Sensor data from the patient monitor is also transmitted to the IP address in the same manner. If the routine to connect to the hard-coded IP address and begin transmitting patient data is called, it will automatically initialize the eth0 interface in the same manner as the backdoor. This means that even if networking is not enabled on startup, running this routine will enable networking and thereby enable this functionality
The agency, however, added that it is currently unaware of any cybersecurity incidents, injuries, or deaths related to these identified cybersecurity vulnerabilities.
The FDA's announcement says "The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised." And it offers this advice to caregivers and patients: If your health care provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
If your device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. This means unplugging the device's ethernet cable and disabling wireless (that is, WiFi or cellular) capabilities, so that patient vital signs are only observed by a caregiver or health care provider in the physical presence of a patient. If you cannot disable the wireless capabilities, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
A detailed report from CISA describes how a research team "created a simulated network, created a fake patient profile, and connected a blood pressure cuff, SpO2 monitor, and ECG monitor peripherals to the patient monitor. Upon startup, the patient monitor successfully connected to the simulated IP address and immediately began streaming patient data..." to an IP address that hard-coded into the backdoor function. "Sensor data from the patient monitor is also transmitted to the IP address in the same manner. If the routine to connect to the hard-coded IP address and begin transmitting patient data is called, it will automatically initialize the eth0 interface in the same manner as the backdoor. This means that even if networking is not enabled on startup, running this routine will enable networking and thereby enable this functionality
No problem! (Score:4)
Just fire all the people at the FDA who issued the warning and order a stop to all investigations. Problem solved! It worked for the telecom infiltration [slashdot.org] so surely it'll work again.
Can't have a problem problem if you refuse to acknowledge it!
=Smidge=
Re:Cue the wumao (Score:5, Interesting)
Most of these backdoors, including US and European ones, are for factory testing and debugging. They are incredibly common in the embedded world.
You can go back year after year of CCC and Defcon talks about them. I've been there in my career - business demands for faster manufacturing and the ability for technicians to diagnose and fix problems are strong. Bosses don't care about security because if they get hacked they blame the "sophisticated state sponsored hacker" and do the bare minimum to fix that specific vulnerability. Happens in every country.
One way to stop it is mandatory security audits. For medical devices the cost is probably but huge compared to getting then through medical certification, but for consumer devices it could be.
Maybe a better option is better firewalls. I don't know if there is any legitimate need for this thing to connect to the internet, but the user should be able to control when it has access and what domains it connects to. Most consumer routers can't do it, and those that can don't have an easy interface for it.
Re: (Score:2)
Maybe a better option is better firewalls. I don't know if there is any legitimate need for this thing to connect to the internet, but the user should be able to control when it has access and what domains it connects to. Most consumer routers can't do it, and those that can don't have an easy interface for it.
Firewalls are basically never the correct solution unless the question is "How do I work around the inadequate supply of IPv4 addresses," and even then, it isn't necessarily the best solution.
These days, most of the interesting cases of data exfiltration in bulk involve advanced persistent threats, where someone breaks into one system and uses it over a long period of time to gain access to another system. Getting in could be as trivial as convincing one person to run some piece of malware on a Windows mac
Are we doomed to repeat history?(Re:Cue the wumao) (Score:2)
Maybe we should not be relying on any foreign nation for products vital to health, safety, and security. Chinese or not I'm not sure I should trust any other nation for products where a break in security could lead to dead people.
I'm quite fed up with how many internet products depend on some server somewhere to function as intended. If I want to adjust the settings on my new fiber modem then I need to set up an account with the company that made the device or call my service provider to make adjustments
How did it get approved with this backdoor? (Score:2)
Do software updates to medical devices get the same security scrutiny as that which is originally approved?
Re: (Score:2)
No, as a device manufacturer your procedures are approved and you are expected to follow them and you are subject to audit and Very Bad Things (would) happen if you got caught being an ass.
Culture is part of the reason American products can be more expensive than Chinese products. This kind of corner--cutting and stealing is less prevalent in American products you will have access to for one big reason - the Chinese products you will see aren't the most expensive that the Chinese can/do produce but the che
Re: (Score:2)
No, as a device manufacturer your procedures are approved and you are expected to follow them and you are subject to audit and Very Bad Things (would) happen if you got caught being an ass.
Trust, but verify.
I worked for a medical device manufacturer at one point, and it was all about "document and do". Procedures were specific, and supervisors were required to sign off on each production run at each step certifying that the procedures were followed. QC inspectors signed off on test results, Engineers sign off on designs, etc.
We were subject to unannounced FDA audits. An FDA inspector could (and did) show up randomly and could do anything from checking paperwork on file was signed off, to h
What was the IP address? (Score:2)
Was it an RFC1918 (Private) address?
If so I fail to see a problem other than proof of sloppy failure to remove development testing code. Of course sending medical devices out with development testing code in them is a whole new can of worms.
If it's a public address, where is it?
The inference is it's in China, if so it is a major problem.
Good Job (Score:2)
Kudos to whomever put a wireshark on this thing and set up the network to reverse engineer their exfiltration APT.
Good thing the bad guys didn't use SSL and check for certificate fingerprints.
It sounds like they got root on the device and took it apart too.
FDA should definitely keep this team.
I thought the FDA was forbidden to communicate (Score:2)
https://apnews.com/article/tru... [apnews.com]
Or did this announcement suit Herr Trump's narrative and was allowed out?
Re: (Score:2)
I don't think this was meant as part of a Trump narrative - it doesn't put the blame on DEI.
Re: (Score:2)
It blames China for something.
Re: (Score:2)
Give it a few more weeks: you'll learn to hate the orange dictator too.
Also, it's "whose".
Why connect to the Internet (Score:1)
Why does a patient medical device ever need to be on the Internet?
Why are power substations and water purification plants on the Internet?
Why don't the idiots who set this up get fired, instead of "all Federal employees"?
Still available (Score:2)
Strange, you can still view it on the manufacturers site: https://www.contecmed.com/prod... [contecmed.com] no information that the FDA advises to unplug the device.
Nothing on their front page https://www.contecmed.com/ [contecmed.com] or their news section https://www.contecmed.com/xwzx [contecmed.com]