CISA Warns of Possible Risk of DDoS in Contec Patient Monitoring Medical Devices
According to an alert from the Cybersecurity and Infrastructure Security Agency, one of five recently disclosed vulnerabilities found in certain Contec Health patient monitoring medical devices could cause a “mass DDoS attack on all CME8000 devices connected to the same network”.
Security firm Level Nine reported the vulnerabilities to CISA. However, “Contec Health has not responded to requests to work with CISA to mitigate these vulnerabilities.”
The defects are in Contec CMS8000 ICU Vital Signs, two of which pose a serious risk to the device and the healthcare network. The most critical of the vulnerabilities is uncontrolled resource consumption in the CMS800 device, which “fails when attempting to parse malformed network data sent by a malicious actor”.
As a result, an attacker with network access could “remotely issue a specially formatted UDP request that will cause the entire device to hang and require a physical reboot.” If the actor then sent a UDP broadcast request, it would cause a DDoS attack.
The second most pressing bug is caused by improper access controls, which would allow an attacker “with momentary access to the device” to plug in a USB drive and install a malicious firmware update, which could result in permanent changes to the functionality of the device.
The device lacks authentication or controls that would prevent a malicious actor from performing the “driving attack” on any CMS800 device.
The other three flaws have a severity between 3.0 and 5.7 and are related to the use of hard-coded credentials, active debugging code, and improper access control where the device fails to “properly check or sanitize the SSID name of a new Wi-Fi”. access point.”
“A threat actor could create an SSID with a malicious name, including non-standard characters which, when the device attempts to connect to the malicious SSID, the device can be exploited to write arbitrary files or display incorrect information” , according to the alert.
CISA has warned that a successful exploit of these flaws could allow access to a root shell or use hard-coded credentials to make configuration changes. An attacker with privileged access to credentials could also allow extraction of patient data or modification of device settings.
Fortunately, there have been no known public exploits that specifically target these flaws, nor can they be remotely exploited.
The alert provides entities with recommended mitigations to reduce the risk of exploitation, including disabling CPU-level UART, using device single sign-on before allowing terminal or bootloader access, enforcing secure boot when possible, and placing tamper-evident stickers on the case of the affected device to note when a device has been opened.
CISA also provided general network mitigations to further protect vulnerable devices and shared resources on best practices for strengthening the entire healthcare network.
As the vendor has not responded to CISA’s requests to work together on a fix for the vulnerabilities, healthcare provider organizations are encouraged to contact Contec Health for further details on these affected products.
As stated earlier, vulnerability disclosures are crucial in healthcare to help vendors fix known flaws. Vendors must work closely with entities when security bugs are detected to prevent their exploitation.