Abstract:
The Contec CMS8000 Patient Monitor is a medical device designed to provide real-time monitoring of vital signs. This report provides a comprehensive analysis of the device, revealing critical security vulnerabilities that pose a risk to patient privacy, data integrity, and overall system security. This analysis examines the device's communication protocols, firmware structure, update mechanisms, and corporate affiliations to provide assess a full view of the security posture of Contec Medical Systems device.
Key findings
· By default, the Contec CMS8000 Patient Monitor streams anonymized real-time HL7 data to the IP address: 202.114.4.120 on port 51. This communication is automatically established without any need for user configuration. Although the data is anonymized you can reconstruct detailed graphs of patient medical information such as heartbeat and other vital signs.
· The firmware sits on a UnilC DRAM chip specifically the SCN00SA1T1 model. The firmware is organized in Yet Another Flash File System (YAFFS) and contains a total of 211 files.
· The device uses Point-to-Point (PPP) protocol for internal network communication. This is unusual but plausible due to the type of device.
· The device contains a potential backdoor ELF binary file named “cmddog”. This file listens on a UNIX sock that is globally accessible due to the user of chmod 0777 on the sock. This allows all internal processes to communicate with the sock. The “backdoor” listens for commands in a specific format and executes them within the context of the user.
· The CMS8000 Patient Monitor has an update mechanism that retrieves updates from a mounted NFS share on IP address: 202.114.4.119. The update procedure does not attempt to validate the update in any way.
· An analysis of the corporate structure of Contec Medical Systems reveals a direct connection to the Chinese Communist Party through independent board member Mr. Yang Changdong.
Download the full report here: https://m4lc.io/contec
