America's FDA Warns About Backdoor Found in Chinese Company's Patient Monitors (fda.gov) 51
Thursday America's FDA "raised concerns about cybersecurity vulnerabilities" in patient monitors from China-based medical device company Contec "that could allow unauthorized individuals to access and potentially manipulate those devices," reports Reuters.
The patient monitors could be remotely controlled by unauthorized users or may not function as intended, and the network to which these devices are connected could be compromised, the agency warned. The FDA also said that once these devices are connected to the internet, they can collect patient data, including personally identifiable information and protected health information, and can export this data out of the healthcare delivery environment.
The agency, however, added that it is currently unaware of any cybersecurity incidents, injuries, or deaths related to these identified cybersecurity vulnerabilities.
The FDA's announcement says "The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised." And it offers this advice to caregivers and patients: If your health care provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
If your device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. This means unplugging the device's ethernet cable and disabling wireless (that is, WiFi or cellular) capabilities, so that patient vital signs are only observed by a caregiver or health care provider in the physical presence of a patient. If you cannot disable the wireless capabilities, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
A detailed report from CISA describes how a research team "created a simulated network, created a fake patient profile, and connected a blood pressure cuff, SpO2 monitor, and ECG monitor peripherals to the patient monitor. Upon startup, the patient monitor successfully connected to the simulated IP address and immediately began streaming patient data..." to an IP address that hard-coded into the backdoor function. "Sensor data from the patient monitor is also transmitted to the IP address in the same manner. If the routine to connect to the hard-coded IP address and begin transmitting patient data is called, it will automatically initialize the eth0 interface in the same manner as the backdoor. This means that even if networking is not enabled on startup, running this routine will enable networking and thereby enable this functionality
The agency, however, added that it is currently unaware of any cybersecurity incidents, injuries, or deaths related to these identified cybersecurity vulnerabilities.
The FDA's announcement says "The software on the patient monitors includes a backdoor, which may mean that the device or the network to which the device has been connected may have been or could be compromised." And it offers this advice to caregivers and patients: If your health care provider confirms that your device relies on remote monitoring features, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
If your device does not rely on remote monitoring features, use only the local monitoring features of the patient monitor. This means unplugging the device's ethernet cable and disabling wireless (that is, WiFi or cellular) capabilities, so that patient vital signs are only observed by a caregiver or health care provider in the physical presence of a patient. If you cannot disable the wireless capabilities, unplug the device and stop using it. Talk to your health care provider about finding an alternative patient monitor.
A detailed report from CISA describes how a research team "created a simulated network, created a fake patient profile, and connected a blood pressure cuff, SpO2 monitor, and ECG monitor peripherals to the patient monitor. Upon startup, the patient monitor successfully connected to the simulated IP address and immediately began streaming patient data..." to an IP address that hard-coded into the backdoor function. "Sensor data from the patient monitor is also transmitted to the IP address in the same manner. If the routine to connect to the hard-coded IP address and begin transmitting patient data is called, it will automatically initialize the eth0 interface in the same manner as the backdoor. This means that even if networking is not enabled on startup, running this routine will enable networking and thereby enable this functionality
No problem! (Score:5, Informative)
Just fire all the people at the FDA who issued the warning and order a stop to all investigations. Problem solved! It worked for the telecom infiltration [slashdot.org] so surely it'll work again.
Can't have a problem problem if you refuse to acknowledge it!
=Smidge=
Re:No problem! (Score:4, Interesting)
Re: (Score:2)
Can't have a problem problem if you refuse to acknowledge it!
Strangely enough this also lets you fly. You simply choose to disbelieve and off you go.
Re:Cue the wumao (Score:5, Interesting)
Most of these backdoors, including US and European ones, are for factory testing and debugging. They are incredibly common in the embedded world.
You can go back year after year of CCC and Defcon talks about them. I've been there in my career - business demands for faster manufacturing and the ability for technicians to diagnose and fix problems are strong. Bosses don't care about security because if they get hacked they blame the "sophisticated state sponsored hacker" and do the bare minimum to fix that specific vulnerability. Happens in every country.
One way to stop it is mandatory security audits. For medical devices the cost is probably but huge compared to getting then through medical certification, but for consumer devices it could be.
Maybe a better option is better firewalls. I don't know if there is any legitimate need for this thing to connect to the internet, but the user should be able to control when it has access and what domains it connects to. Most consumer routers can't do it, and those that can don't have an easy interface for it.
Re: (Score:3)
Maybe a better option is better firewalls. I don't know if there is any legitimate need for this thing to connect to the internet, but the user should be able to control when it has access and what domains it connects to. Most consumer routers can't do it, and those that can don't have an easy interface for it.
Firewalls are basically never the correct solution unless the question is "How do I work around the inadequate supply of IPv4 addresses," and even then, it isn't necessarily the best solution.
These days, most of the interesting cases of data exfiltration in bulk involve advanced persistent threats, where someone breaks into one system and uses it over a long period of time to gain access to another system. Getting in could be as trivial as convincing one person to run some piece of malware on a Windows mac
Re: Cue the wumao (Score:2)
Firewalls are the correct solution to encapsulate devices and software packages with questionable security. This is basically everything you have in your net.
Using NAT is to take care of IPv4 shortage.
Re: (Score:2)
Indeed. Sounds to me like the person you answered to does not know what a firewall actually is.
Re: (Score:2)
Indeed. Sounds to me like the person you answered to does not know what a firewall actually is.
Sounds to me like neither of you understands sarcasm. That was me trying to be snarky.
Re: (Score:2)
Weak response is weak. I think you have some experience in IT risk management, but do not understand the tech aspect at all.
Re: (Score:3)
Firewalls are the correct solution to encapsulate devices and software packages with questionable security. This is basically everything you have in your net.
Using NAT is to take care of IPv4 shortage.
Pedantry won't win you points here. By orders of magnitude, the most commonly used NAT hardware is cheap firewalls that live in people's houses. Carrier grade NAT is lost in the noise by comparison.
Firewalls, as I said, aren't really a solution for any real-world problem. They're solely useful for defense in depth, largely to buy you time to fix known vulnerabilities so that they are not being continuously attacked.
I'm not saying that firewalls aren't useful, but as soon as somebody finds a way to breach
Re: (Score:2)
Try "necessary but not sufficient" as the proper answer. Firewalls are necessary. Firewalls are not sufficient.
N.B.: I'm no expert in that particular area, but this seems like the obvious answer. Remember, the most important leg of a three-legged stool is the one that is missing.
Re: (Score:2)
Firewalls are basically never the correct solution unless the question is "How do I work around the inadequate supply of IPv4 addresses," and even then, it isn't necessarily the best solution.
I know what you're getting at, but I think you and the GP are talking past each other. Amimojo said:
I don't know if there is any legitimate need for this thing to connect to the internet, but the user should be able to control when it has access and what domains it connects to.
And while the term 'firewall' might not necessarily be the most accurate term for what's being suggested, what's being suggested is still a good idea.
Go take a look at some early 2000s laptops that had first-gen wireless chipsets built in. Many of them had physical, hardware switches...and many of those switches cut power to the chipset itself - you'll hear Windows make the hardware disconnect sound if you sw
Re: (Score:2)
I know what you're getting at, but I think you and the GP are talking past each other. Amimojo said:
I don't know if there is any legitimate need for this thing to connect to the internet, but the user should be able to control when it has access and what domains it connects to.
And while the term 'firewall' might not necessarily be the most accurate term for what's being suggested, what's being suggested is still a good idea.
Yeah, that's a firewall, and the most restrictive version of that would be called an air gap. Now go look at the stats for how many times systems behind air gaps have been compromised in interesting ways, and you'll conclude that this is only a short-term stopgap, not an alternative to fixing the vulnerability [arxiv.org].
I'm not saying it's not a good thing to do as part of defense in depth, assuming that whatever limits you impose don't completely destroy productivity, but it is important to understand that no amoun
Re: (Score:2)
One way to stop it is mandatory security audits.
Or, hear me out here, all back doors, testing harnesses, etc, must, by law, be disabled before being sent out from the factory. Add a very large fine or even prison time for executives and I bet all of this shit goes away faster than a case of gonorrhea with penicillin.
The audits should be performed anyways.
Are we doomed to repeat history?(Re:Cue the wumao) (Score:2)
Maybe we should not be relying on any foreign nation for products vital to health, safety, and security. Chinese or not I'm not sure I should trust any other nation for products where a break in security could lead to dead people.
I'm quite fed up with how many internet products depend on some server somewhere to function as intended. If I want to adjust the settings on my new fiber modem then I need to set up an account with the company that made the device or call my service provider to make adjustments
Re: (Score:1)
Maybe we need to find a cure for whatever bowel disease Trump's had for decades; he might not be so angry and upset if he no longer needed diapers -- or maybe we could fix the plumbing so he's not flushing 12 times (and he finally stops complaining about flushing) to dispose of of his diapers. No, forget about telling him how to properly dispose of them; old dog, no new tricks.
How did it get approved with this backdoor? (Score:2)
Do software updates to medical devices get the same security scrutiny as that which is originally approved?
Re: (Score:2)
IIUC, for many devices that ensure that any update meets security requirements by not approving them.
Re: (Score:2)
No, as a device manufacturer your procedures are approved and you are expected to follow them and you are subject to audit and Very Bad Things (would) happen if you got caught being an ass.
Culture is part of the reason American products can be more expensive than Chinese products. This kind of corner--cutting and stealing is less prevalent in American products you will have access to for one big reason - the Chinese products you will see aren't the most expensive that the Chinese can/do produce but the che
Re: (Score:3)
No, as a device manufacturer your procedures are approved and you are expected to follow them and you are subject to audit and Very Bad Things (would) happen if you got caught being an ass.
Trust, but verify.
I worked for a medical device manufacturer at one point, and it was all about "document and do". Procedures were specific, and supervisors were required to sign off on each production run at each step certifying that the procedures were followed. QC inspectors signed off on test results, Engineers sign off on designs, etc.
We were subject to unannounced FDA audits. An FDA inspector could (and did) show up randomly and could do anything from checking paperwork on file was signed off, to h
Re: (Score:2)
It's a patient monitor, it records things like heart rate and blood pressure. It's not important enough to undergo such rigorous checking. All it needs is to be periodically checked against the doctor's equipment, mostly to make sure that the patient is using it right.
Re: (Score:2)
I doubt foreign factories are subject to random FDA inspection routines
They are supposed to be, but whether that happens or the FDA actually does something about it is another story. There's a long list of violations found in production facilities in India, for example, but the FDA can't seriously sanction them or cut them off because they are the only source for certain drugs and key ingredients.
Re: (Score:2)
What security scrutiny? All medical devices are full of vulnerabilities and holes. It's just the way these things are made, they'll have a ton of work done to make sure the processing of common inputs produces reasonably accurate medical info, and after that the product ships. There's no security audits done beyond maybe a token automated scan that crashes the device so the scan stops and declares it can't find anything.
This is just the usual yellow-peril scaremongering. Take a product made by a mom-and
What was the IP address? (Score:2)
Was it an RFC1918 (Private) address?
If so I fail to see a problem other than proof of sloppy failure to remove development testing code. Of course sending medical devices out with development testing code in them is a whole new can of worms.
If it's a public address, where is it?
The inference is it's in China, if so it is a major problem.
Re: What was the IP address? (Score:3)
Good Job (Score:2)
Kudos to whomever put a wireshark on this thing and set up the network to reverse engineer their exfiltration APT.
Good thing the bad guys didn't use SSL and check for certificate fingerprints.
It sounds like they got root on the device and took it apart too.
FDA should definitely keep this team.
I thought the FDA was forbidden to communicate (Score:1)
https://apnews.com/article/tru... [apnews.com]
Or did this announcement suit Herr Trump's narrative and was allowed out?
Re: (Score:3)
I don't think this was meant as part of a Trump narrative - it doesn't put the blame on DEI.
Re: (Score:2)
It blames China for something.
Re: (Score:2)
China (computer) Virus!
Re: (Score:2)
Give it a few more weeks: you'll learn to hate the orange dictator too.
Also, it's "whose".
Re: (Score:2)
I'm more concerned about Trump's backdoor for Putin access... or his enforcer bot, Musk.
Re: (Score:2)
Why connect to the Internet (Score:1)
Why does a patient medical device ever need to be on the Internet?
Why are power substations and water purification plants on the Internet?
Why don't the idiots who set this up get fired, instead of "all Federal employees"?
Re: (Score:2)
Probably for convenience. My blood-pressure monitor keeps wanting to sync with something, and complaining because it can't. My guess is it was designed to send the info to a computer that would record the info. (Instead I write it down in a notebook, so I can see what the trends are without pulling out another device.)
Re: (Score:2)
Because they may be Trump voters, campaign contributors, friends, business partners or other useful people to Trump.
"All Federal Employees" are not, and seek to hamper Project 2025 implementation. They must go.
Still available (Score:2)
Strange, you can still view it on the manufacturers site: https://www.contecmed.com/prod... [contecmed.com] no information that the FDA advises to unplug the device.
Nothing on their front page https://www.contecmed.com/ [contecmed.com] or their news section https://www.contecmed.com/xwzx [contecmed.com]
Likely innocuous, but still wrong (Score:2)
Re: (Score:2)
I doubt it. It was probably for testing during manufacture, and just never disabled.
The worst part of these stories (Score:1)
How was this announced? (Score:2)
I mean, the "you may not publish, etc" executive (disfunction) order?