Agency Says Risks Include Equipment Denial of Service, Device Tampering
Security flaws in a vital signs monitoring device from China-based manufacturer Contec Medical Systems Co. could allow attackers to launch a denial-of-service attack spreading to all other such devices connected to the same network, federal authorities warn.
See Also: Webinar | Prevent, Detect & Restore: Data Security Backup Systems Made Easy
The U.S. Cybersecurity and Infrastructure Security Agency in a Thursday advisory warns of several vulnerabilities identified by research firm Level Nine in the CMS8000 Contec ICU CCU Vital Signs Patient Monitor. The device is used worldwide.
Vulnerabilities include two improper access control flaws, uncontrolled resource consumption, use of hard-coded credentials, and active debug code. The vulnerabilities range from a CVSS v3 base score of 3.0 to 7.5.
Successful exploitation of the uncontrolled resource consumption flaw allows a threat actor to cause a denial-of-service attack blocking access to every such device connected to the same medical center network. A successful attack would require the attacker to already have network access; the attack would be executed by sending a malformed UDP request.
CISA’s advisory says Contec has not responded to the agency’s requests to work with CISA to mitigate the vulnerabilities. Neither did Contec respond to Information Security Media Group’s request for comment.
An attacker with physical access to the device could also modify its firmware or take advantage of hard-coded credentials to make configuration changes, CISA warns.
“No authentication or controls are in place to prevent a threat actor from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device,” CISA says.
The use of hard-coded credentials in medical devices today “is so 1990s,” says Kevin Fu, director of the Archimedes Center for Healthcare and Device Security at the University of Michigan.
“A hard-coded credential would violate any scientifically meaningful threat model,” says Fu, who recently completed an 18-month term as acting director of medical device cybersecurity at the Food and Drug Administration.
DDoS Vulnerability Details
Jason Sinchak, principal of product security at Level Nine, the firm that discovered the vulnerabilities, says the most serious findings involved the uncontrolled resource consumption flaw.
That vulnerability “would allow a threat actor with access to a hospital network – for example, through hacking Wi-Fi or plugging into a network jack – to send a single network packet that would globally crash all patient monitors connected to the network,” he says. “The crashed monitors would require physical access to reboot and fix, ensuring significant delay in use of the device to monitor critical patient vitals.”
Hospitals rely on bedside patient monitors to remotely monitor many patients at a nurse station or to listen for alarms when a patient’s vitals degrade.
To mitigate the issues identified, Contec will need to provide an update, Sinchak says. “A hospital could mitigate the risk by disconnecting the monitors from the network and employing tamper seals across all physical interfaces,” he says, adding that while Level Nine has been in contact with Contec, the researchers have had “difficulties in obtaining a response from the vendor.”
Contec’s ongoing silence is cause for concern, says Fu. “There are several possible channels to coordinate medical device security vulnerability disclosures for the U.S. marketplace, and all involve CISA,” he says.
In general, cooperation and transparency – such as voluntary disclosures of security vulnerabilities – by some medical device makers is improving, but as an industry, much more progress is needed, says Vidya Murthy, chief operating officer at medical device cybersecurity firm MedCrypt.
The fact that Contec is a Chinese manufacturer adds “a political component to the discussion,” says Axel Wirth, chief security strategist at MedCrypt.
Overall, “medical device cybersecurity is improving, but this uncoordinated vulnerability disclosure is yet another example of rookie pitfalls along the way,” Fu says.
In lieu of Contec not responding to CISA’s request to collaborate on mitigations, CISA offers its own recommendations for how entities can address the risks involving the patient monitoring device vulnerabilities. They include:
- Disabling universal asynchronous receiver-transmitter functionality at the CPU level;
- Enforcing unique device authentication before granting access to the terminal/bootloader;
- Enforcing secure boot when possible;
- Securing physical access and applying tamper stickers on the device casing to indicate if a device has been physically opened;
- Minimizing network exposure for all control system devices and ensuring they are not accessible from the internet;
- Locating control system networks and remote devices behind firewalls and isolating them from the business network;
- Using secure methods for when remote access to the devices is required.
There are a number of other steps healthcare providers can take to improve their overall medical device cybersecurity approaches, Wirth says.
One he mentions is demanding certain cybersecurity requirements in purchasing contracts to augment medical devices with external security tools, such as passive network monitoring. “I would think that a manufacturer’s willingness to contractually agree to certain cybersecurity terms will help hospitals to sort out vendors they should not be doing business with,” he says.
“It is also important to note hospitals and the FDA are maturing their expectations for post-market vigilance by device manufacturers. In fact, the FDA in April issued new draft cybersecurity guidance for premarket medical devices (see: FDA Document Details Cyber Expectations for Device Makers).