1. Why wouldn’t CISA release the IP address? Blocking a specific IP is much easi... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

		patrickhogan1 10 days ago \| parent \| context \| favorite \| on: Patient Monitor Contec CMS8000 Contains a Backdoor 1. Why wouldn’t CISA release the IP address? Blocking a specific IP is much easier for a hospital than patching or replacing every affected device. Some might argue that hospitals should just remove the device altogether, but CISA has stated that keeping the device and disabling its network capability is an acceptable solution. It seems very odd not to disclose the IP address. The only plausible explanation is that they want to monitor U.S.-based egress traffic to that IP. 2. The backdoor transmits data in plain text to a static IP address—something a competent hospital network administrator would have inevitably discovered.

decio 9 days ago [–]

The weird thing about this advisory is that the hardcoded IP addresses (202.114.4[.]119) are the same ones found in the online installation manuals for Contec and affiliated brands ( https://help.xchart.com/en/articles/7943824-configuring-edan... ).

This was confirmed through firmware analysis: https://x.com/craiu/status/1885341007576801338 and in the manuals: https://infosec.exchange/@decio/113928319441297901

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact