Notably, the backdoor uploads data to an NFS share hosted on a university IP (the exact university has not been made clear). Data includes patient names, doctor names, date of birth, and the specific hospital department the patient is at.
> Contec Medical Systems Co., Ltd. (hereinafter referred to as CONTEC) focusing on research, manufacture and distribution of medical instruments, was founded in 1996 as a high-tech company. CONTEC locates in Economic & Technical Development Zone in Qinhuangdao covered an area of 125 acres and building area of over 100000 square meter, which is one of the largest bases for R & D and production of medical devices in China.
Because there are far, far simpler ways to figure out what a hospital wants, or what a patient needs to deal with their health needs. I'm going to bet that the completely legal practice of building a profile off of what a person has installed on their phone and their web searches is more effective than collecting their vitals and turning that into sales leads. You could just ask the health system what they need. That's what leads to a lot of our product initiatives.
It almost makes me wonder if there's a component in the hardware or software that's shared with other devices manufactured in China that are better attack vectors and they just tossed it into this one because, hey, it works.
Can't gather data new data from the phone if that person is in a coma. But, hey, now the relatives can get coffin adverts before the doctor brings the bad news! /s
That backdoor, if it reports to a university, is probably put there to facilitate a study/diploma/phd or something like that.
I doubt anyone at the university was involved, or is in trouble. I rather suspect that the university was told "put this on your network and don't ask too many questions".
1. Why wouldn’t CISA release the IP address? Blocking a specific IP is much easier for a hospital than patching or replacing every affected device. Some might argue that hospitals should just remove the device altogether, but CISA has stated that keeping the device and disabling its network capability is an acceptable solution. It seems very odd not to disclose the IP address. The only plausible explanation is that they want to monitor U.S.-based egress traffic to that IP.
2. The backdoor transmits data in plain text to a static IP address—something a competent hospital network administrator would have inevitably discovered.
reply