Alarms Raised by Critical Reverse Backdoor Vulnerability in Medical Devices

The FDA and CISA have issued warnings about vulnerabilities in medical monitors that could execute unauthorized code and leak patient data to an unknown server. While no direct harm has been reported yet, these flaws could lead to incorrect treatment, privacy breaches, and fraud. Experts recommend improved software security practices, network monitoring, and disabling unnecessary device connections to mitigate risks.

‍

The FDA and CISA have issued warnings about vulnerabilities in medical monitors that could execute unauthorized code and leak patient data to an unknown server. While no direct harm has been reported yet, these flaws could lead to incorrect treatment, privacy breaches, and fraud. Experts recommend improved software security practices, network monitoring, and disabling unnecessary device connections to mitigate risks.

‍

On Thursday, the Food and Drug Administration (FDA) released a security alert for a medical monitor after researchers discovered several vulnerabilities. Security vulnerabilities sometimes fall into a hype trap, but this one is worth attention. The “reverse backdoor” installed on these devices has the potential to cause harm to patients in home settings and medical facilities across the country.

What happened?

According to the Cybersecurity & Infrastructure Security Agency’s (CISA) detailed technical report, there are two separate issues with these devices. The first is that the device, manufactured by a China-based company, could run unexpected code hosted at an unidentified university. Affected devices automatically attempt to connect to that server and copy files to the device. This opens the device to the possibility of running third-party software without the user’s knowledge or consent. Subsequent firmware updates from the manufacturer attempt to mitigate this, but as of the CISA publication, the mitigation is ineffective.

‍

The second issue with the affected devices is that they broadcast patient data to the same server at the unidentified university. Security researchers were able to observe the devices sending information like patient and doctor names, the patient’s date of birth, and sensor readings. Like with the first issue, the code that results in this issue attempts to enable the network connection, even when the user has disabled it.

What does this mean for patients and providers?

While neither CISA nor the FDA have indication of direct harm from these devices, several possibilities exist. Because the affected devices can execute code from a third-party, this code could cause harm intentionally or through attack by another party. The risk here is even greater because there appears to be no verification of code copied from the remote server, which increases the risk of adversary-in-the-middle compromises. To re-iterate: none of the scenarios below are known to have occurred, but they are plausible risks.

‍

One possible avenue for patient harm is that the malicious code disables monitoring or corrupts data, leading care providers to miss health issues or provide the incorrect treatment. In addition, the monitors have a drug concentration calculation feature. If that is compromised and providers use it for administering medication, patients could receive too much or too little. Thankfully, the device does not control the administration of medication; it only provides a calculation. However, the device does have the ability to control a blood pressure cuff in either manual or automatic modes. Over-inflation of the cuff could cause pain or injury.

‍

The exfiltration of patient data to an unknown third-party also poses concerns. At this time, it’s not publicly known who is behind these backdoors and what their motivation is. The “best” scenario is that they’re unethically collecting data for medical research. However, they could also be collecting data to enable fraud. With the patient’s date of birth, date of hospitalization, and doctor’s name, it would be easy to craft a seemingly-legitimate bill to trick the patient into paying the scammer. It’s also possible that there’s no intended purpose at the moment and the attacker is simply collecting data in the hope that it may prove useful down the line.

‍

Patients aren’t the only ones at risk, either. Providers could be tricked into divulging additional information to an attacker with enough information to impersonate the real patient. There could be the possibility of legal risk as well. Various laws protect the privacy of patient information. According to the American Medical Association, unknowing violations of HIPAA protections can result in fines of $100–50,000. Because these devices appear to be automatically attempting to stream patient data to a third party, providers may have already committed HIPAA violations.

‍

Again, none of the above scenarios are known to have occurred at the time of publication. The point is not to highlight what has happened in this specific instance, but the kinds of impacts that can result from vulnerable devices generally.

Preventing future vulnerabilities

Ultimately, the fault for these vulnerabilities lies with the manufacturer, whether they were aware of it or not. Without knowing how the vulnerabilities came to be, it’s impossible to say that the manufacturer should have done differently. However, consumers can still play a role in protecting against these sorts of attacks.

‍

The first set of preventative measures include secure software supply chain practices. This includes performing independent code audits, whether sponsored by an individual consumer or a trade association or regulatory agency. Consumers should also require encrypted transport of updates (for example, using HTTPS) to guard against adversary-in-the-middle attacks and cryptographic verification of downloaded updates in order to ensure the software has not been tampered with.

‍

Good IT practices will help as well. While most organizations monitor their networks for unexpected or undesired inbound traffic, not as many monitor for unexpected outbound traffic. Monitoring at both the device and network perimeter level helps to detect data exfiltration and other attacks sooner. When possible, isolated internal networks should be used for sensitive equipment so that vulnerable devices are prevented from leaking data or being exploited by outsiders.

‍

Perhaps the simplest mitigation approach is to disable unnecessary features and don’t connect devices to a network when they don’t need to be. The compromised devices in this particular case seem to only use the ethernet connection. If no ethernet cable is plugged in, it doesn’t matter that the malware forces the port to be enabled.

‍

As federal agencies continue their work to investigate these devices, there’s no doubt that we’ll learn more about how the backdoors were inserted. But what we do know highlights the effects that software could have in the physical world. Proactive monitoring and security tactics will help minimize the risk of future vulnerabilities.

‍