FDA Adverse Event Malfunction Summary report: N

CONTEC CMS8000 ICS PATIENT MONITOR

MDR report key: 20291070 · Received September 20, 2024

Report

Report Number
MW5159958
Event Type
Malfunction
Date Received
September 20, 2024
Report Date
September 16, 2024
Manufacturer
CONTEC MEDICAL SYSTEMS CO.
Product Code
DRT
Product Problem
Yes
Report Source
Voluntary report
Reporter Location
VA, US
Reporter Occupation
UNKNOWN
Health Professional
*

Narratives

Description of Event or Problem · 0

THERE IS A SERIOUS CYBER SECURITY VULNERABILITY IN THE CONTEC CMS8000 ICS PATIENT MONITOR. THIS VULNERABILITY WAS DISCOVERED AS PART OF OUR WORK WITH ARPA-H (HTTPS://ARPA-H.GOV/) UNDER THE DIGIHEALS (HTTPS://ARPA-H.GOV/RESEARCH-ANDFUNDING/PROGRAMS/DIGIHEALS) PROGRAM IN AN EFFORT TO IMPROVE HOSPITAL AND MEDICAL DEVICE CYBERSECURITY. THIS VULNERABILITY WAS DISCLOSED TO CISA (HTTPS://WWW.CISA.GOV/COORDINATED-VULNERABILITY-DISCLOSURE-PROCESS) ON JULY 24, 2024. ==DESCRIPTION == THE CMS800 DEVICE DOES NOT PERFORM BOUNDS CHECKING WHILE PARSING NETWORK DATA SENT BY A THREAT ACTOR. A THREAT ACTOR WITH NETWORK ACCESS CAN REMOTELY ISSUE A SPECIALLY FORMATTED UDP REQUEST THAT WILL ALLOW THEM TO WRITE ARBITRARY DATA, LEADING TO REMOTE CODE EXECUTION (RCE) WITH ROOT PRIVILEGES AND PERSISTENCE. TWO SEQUENTIAL UDP BROADCAST REQUESTS COULD BE SENT THAT CAUSE A MASS TAKEOVER OF ALL CME8000 DEVICES CONNECTED TO THE SAME NETWORK. (B)(4).

Devices

Seq Brand Generic Product Code Manufacturer Model Lot UDI-DI
1243528 CONTEC CMS8000 ICS PATIENT MONITOR MONITOR, CARDIAC (INCL. CARDIOTACHOMETER & RATE ALARM) DRT CONTEC MEDICAL SYSTEMS CO. CMS8000

Patients

Seq Age Sex Outcome Treatment
1 NA Unknown