Patient monitors could present concerning security vulnerabilities.

A warning has been issued regarding health monitoring devices manufactured in China that may be covertly sending sensitive data to a university in that country. The CISA (Cybersecurity and Infrastructure Security Agency) has noted that at least three healthcare devices, including the Contec CMS8000, have firmware vulnerabilities that allow for malicious activity.

The Contec CMS8000 is a patient monitor used in hospitals to track vital signs such as ECG, blood pressure, and oxygen saturation. According to an independent researcher, this device was connected to a hardcoded external IP address, which subsequent investigations identified as belonging to a Chinese university, although the specific university was not disclosed.

Studies revealed that suspicious activity was linked to a backdoor in the firmware, allowing unknown third parties to execute programs remotely, take control of the monitors, and send patient data. Alarmingly, this activity was not logged, making it difficult for IT administrators to detect.

Further investigations found the same IP address linked to other medical equipment, including a patient monitor for pregnant women from another Chinese manufacturer, as well as Epsimed MN-120 patient monitors, which are rebranded versions of the Contec CMS8000.

CISA contacted Contec to point out the existence of this vulnerability. However, although the company provided several firmware images in an attempt to fix the issue, none of these updates succeeded in resolving the flaw, allowing the backdoor to remain active. In the absence of a definitive solution, CISA recommended that users disconnect these devices from the network.