Patient monitors may have some worrying security flaws

• CISA issues warning about Chinese-made monitor quietly relaying sensitive data
• Multiple devices were found carrying malicious code in the firmware
• The company tried, and failed, to address the flaw

At least three healthcare devices built by Chinese manufacturers were found with firmware backdoors apparently relaying sensitive information to a Chinese university.

The US Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about Contec CMS8000, a patient monitor used in hospitals and clinical settings to track vital signs such as ECG, blood pressure, oxygen saturation (SpO₂), respiratory rate, and temperature.

The agency said that an independent researcher discovered that the device was engaged in malicious activity, connecting to a hard-coded external IP address. BleepingComputer managed to determine that the IP address belonged to a “Chinese university”, but did not say which one.