The Cybersecurity and Infrastructure Security Agency is warning about a series of vulnerabilities in a patient vital signs monitor used in hospitals, home health settings, and other places, that can enable an attacker with physical access to modify the device’s parameters, exfiltrate patient data, even implant malicious firmware on the device.
The bugs are in the Contec Health CMS8000 Vital Signs Patient Monitor, a device that’s designed to monitor a patient’s heart rate, oxygen saturation, temperature, and other vital signs. Researchers at Level Nine, a firm that specializes in medical device security, reported the flaws to CISA, and the agency said in its advisory that Contec Health did not respond to any requests from CISA to help mitigate the flaws.
There are five vulnerabilities in total, and perhaps the most severe of the lot is a bug that allows a local attacker to install a malicious firmware image without the impediment of authentication or other access controls.
“A threat actor with momentary access to the device can plug in a USB drive and perform a malicious firmware update, resulting in permanent changes to device functionality. No authentication or controls are in place to prevent a threat actor from maliciously modifying firmware and performing a drive-by attack to load the firmware on any CMS8000 device,” the CISA advisory says.
The CMS8000 devices also contain hardcoded credentials, a common issue in medical devices, IoT devices, and some ICS devices. Once those credentials are exposed, any device that uses them is at risk.
“Multiple globally default credentials exist across all CMS8000 devices, that once exposed, allow a threat actor with momentary physical access to gain privileged access to any device. Privileged credential access enables the extraction of sensitive patient information or modification of device parameters,” the advisory says.
The devices also are susceptible to a denial-of-service bug that an attacker can trigger by sending a simple UDP request to a vulnerable device.
“The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network,” the CISA advisory says.
The remaining vulnerabilities are less serious, but are still problematic. One of the bugs could enable an attacker to write arbitrary files to a target device simply by creating a specially crafted SSID name and having the device connect to it.
“The CMS800 device fails while attempting to parse malformed network data sent by a threat actor. A threat actor with network access can remotely issue a specially formatted UDP request that will cause the entire device to crash and require a physical reboot. A UDP broadcast request could be sent that causes a mass denial-of-service attack on all CME8000 devices connected to the same network,” CISA said.
In the absence of software updates, CISA recommends that organizations limit the network access of vulnerable devices, and, where possible, limit physical access to them.