Notably, the backdoor uploads data to an NFS share hosted on a university IP (the exact university has not been made clear). Data includes patient names, doctor names, date of birth, and the specific hospital department the patient is at.
> Contec Medical Systems Co., Ltd. (hereinafter referred to as CONTEC) focusing on research, manufacture and distribution of medical instruments, was founded in 1996 as a high-tech company. CONTEC locates in Economic & Technical Development Zone in Qinhuangdao covered an area of 125 acres and building area of over 100000 square meter, which is one of the largest bases for R & D and production of medical devices in China.
Because there are far, far simpler ways to figure out what a hospital wants, or what a patient needs to deal with their health needs. I'm going to bet that the completely legal practice of building a profile off of what a person has installed on their phone and their web searches is more effective than collecting their vitals and turning that into sales leads. You could just ask the health system what they need. That's what leads to a lot of our product initiatives.
It almost makes me wonder if there's a component in the hardware or software that's shared with other devices manufactured in China that are better attack vectors and they just tossed it into this one because, hey, it works.
Can't gather data new data from the phone if that person is in a coma. But, hey, now the relatives can get coffin adverts before the doctor brings the bad news! /s
That backdoor, if it reports to a university, is probably put there to facilitate a study/diploma/phd or something like that.
I doubt anyone at the university was involved, or is in trouble. I rather suspect that the university was told "put this on your network and don't ask too many questions".
Notably, the backdoor uploads data to an NFS share hosted on a university IP (the exact university has not been made clear). Data includes patient names, doctor names, date of birth, and the specific hospital department the patient is at.
Someone is going to be going out of business soon and someone at a university is going to get very fired.
> Contec Medical Systems Co., Ltd. (hereinafter referred to as CONTEC) focusing on research, manufacture and distribution of medical instruments, was founded in 1996 as a high-tech company. CONTEC locates in Economic & Technical Development Zone in Qinhuangdao covered an area of 125 acres and building area of over 100000 square meter, which is one of the largest bases for R & D and production of medical devices in China.
https://contechealth.com/pages/company-introduction
I doubt it.
I work in medical software.
If you think the FDA or other regulating bodies wouldn't immediately tell care providers to yank these devices, you might be in for a surprise.
What's more mysterious to me is why there's a back door in a device like this. Seems like a bizarre way to attack your enemy.
Why attack people when you can exploit their data to make money. This is some growth "hacking" to make a list of sales leads.
Because there are far, far simpler ways to figure out what a hospital wants, or what a patient needs to deal with their health needs. I'm going to bet that the completely legal practice of building a profile off of what a person has installed on their phone and their web searches is more effective than collecting their vitals and turning that into sales leads. You could just ask the health system what they need. That's what leads to a lot of our product initiatives.
It almost makes me wonder if there's a component in the hardware or software that's shared with other devices manufactured in China that are better attack vectors and they just tossed it into this one because, hey, it works.
The inverse of “defense in depth” is “flooding the zone”.
Can't gather data new data from the phone if that person is in a coma. But, hey, now the relatives can get coffin adverts before the doctor brings the bad news! /s
That backdoor, if it reports to a university, is probably put there to facilitate a study/diploma/phd or something like that.
I doubt anyone at the university was involved, or is in trouble. I rather suspect that the university was told "put this on your network and don't ask too many questions".
It also contains a out of bounds write, which could lead to RCE. https://www.cve.org/CVERecord?id=CVE-2024-12248