Getty Images

5 Security Vulnerabilities Found in Contec Vital Signs Patient Monitors

CISA said that the security vulnerabilities found in certain Contec Health vital signs patient monitor devices could open the door to DDoS attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) released a medical device advisory outlining five vulnerabilities found in Contec Health’s CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor.

Successful exploitation of these vulnerabilities could allow threat actors to execute distributed denial-of-service (DDoS) attacks, modify firmware, make configuration changes, or access a root shell.

CISA said it contacted Contec Health about mitigating the vulnerabilities but has not received a response. Level Nine researchers originally reported the vulnerabilities to CISA.

The highest-severity vulnerability received a CVSS score of 7.5 and involves complete device failure.

“A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot,” the advisory stated.

“A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network.”

Another vulnerability simply requires a threat actor to have momentary access to the device, where they can plug in a USB drive and perform a malicious firmware update.

“No authentication or controls are in place to prevent a threat actor from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device,” CISA noted.

A third vulnerability, which received a CVSS score of 4.3, involves the use of hard-corded credentials. Researchers found that “multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device.”

With access to privileged credentials, threat actors may be able to extract patient information or modify device parameters.

The fourth vulnerability entails poorly configured compiler settings that “greatly decrease the level of effort for a threat actor to reverse engineer sensitive code and identify additional vulnerabilities.”

Finally, the fifth vulnerability involves improper access control. Researchers found that the CMS8000 device does not properly control or sanitize the SSID name of a new Wi-Fi access point.

“A threat actor could create an SSID with a malicious name, including non-standard characters that, when the device attempts connecting to the malicious SSID, the device can be exploited to write arbitrary files or display incorrect information,” the advisory explained.

Although Contec Health has not provided any specific mitigation recommendations itself, CISA provided numerous recommendations that could help healthcare organizations reduce the risk of exploitation.

Organizations with CMS8000 devices in use should consider disabling UART functionality at the CPU level, enforcing unique device authentication before granting access to the terminal, enforcing secure boot, and placing tamper stickers on the device casing to indicate when it has been opened.

In addition, CISA recommended that organizations employ several defensive measures to mitigate risk, including maintaining physical access controls, minimizing network exposure, locating control system networks and remote devices behind firewalls, and using VPNs.

“Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents,” CISA concluded.

“No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.”

Next Steps

Dig Deeper on Cybersecurity strategies