US federal agencies have warned that a popular Chinese-made patient monitor device used in medical settings across the US and Europe has a built-in backdoor that leaks patient data to an unauthorized remote server. The backdoor, present also in a rebranded version of the device, also allows the remote server, which appears to belong to a university, to execute unauthorized code on the device.
According to a safety advisory from the US Food and Drug Administration (FDA), which authorizes medical devices for use in the US, the affected patient monitors are the Contec CMS8000 and the Epsimed MN-120, a relabeled version of the Contec device. The devices are used to monitor patients’ vital signs, including electrocardiogram, heart rate, blood oxygen saturation, noninvasive blood pressure, temperature, and respiration rate.
Contec Medical Systems is one of the largest Chinese medical device manufacturers with headquarters in Qinhuangdao and subsidiaries in Chicago, Dusseldorf, and New Delhi. In addition to patient monitors, the company produces a wide range of medical products, such as pumps, ultrasound systems, endoscopes, respiratory aids, EEG and EMG systems, diagnostics devices, and more.
