Why We Must SLAM The Chinese Door
February 14, 2025 by Karl Denninger
The Cybersecurity and Infrastructure Security Agency (CISA) analyzed three versions of firmware for the Contec CMS8000, a patient monitor used by the Healthcare and Public Health sector, and discovered an embedded backdoor function with a hard-coded IP address, CWE – 912: Hidden Functionality (CVE-2025-0626), and functionality that enables patient data spillage, CWE – 359: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2025-0683), exists in all firmware versions CISA analyzed. The Contec patient monitor CMS8000 (see Figure 1) is used in healthcare settings to monitor human vital signs.
This is a formal warning and it has CVEs assigned to it -- the unit has been caught not only transmitting data to China it also has the capacity to have its firmware and configuration updated without command or consent by the owner.
The really ugly part of this is that it allows forced updates without integrity checks or versioning.
This is the sort of capacity that could trivially be abused to either deliberately kill people by tampering with the display, thereby falsely displaying one or more body parameters that are untrue or simply brick all the devices in the field effectively at once in an unrecoverable and instantaneous fashion, thereby deliberately destroying the capacity of every health care system that uses these devices to provide patient care.
This is precisely the sort of threat posture that I have warned about repeatedly with embedded software that has any sort of remote update capability that goes outside your operational domain and is not under your direct control. It is the very reason that such capacity within vehicles, for example, is presumptively unsound and must be prohibited as a matter of law in any safety-critical device which, of course, anything involved in patient care or machinery (including cars and similar) is.
There is no way to have this device connected for remote monitoring and not have it subject to this risk. While facility managers can (and should) maintain a "sanitary" internal network that the device attempts to do this is proof of malicious intent in that the code to attempt to fetch, load and run said software has been verified as present, this is not documented and further the code to transmit data related to the person being monitored is also present (and again, not documented.)
This **** must stop and that the target address is a Chinese University is proof of Chinese government involvement and we must slam the door on these ****er's dicks right here and now in all respects, with regard to all electronic products, period and yes this means a complete, 100% bar on such devices being imported into and sold into the United States including immediate permanent revocation of whatever approval and permitting they currently hold. You use one of these beyond tomorrow on a person as an unapproved device you're a felon and you go to prison.
Make said devices here where such acts aimed at US resources can result in immediate criminal sanction as soon as this sort of intentional malfeasance is identified.
Further, this was trivially identified if anyone in the certification chain for these devices gave a **** and looked. Every single evaluating agency and individual involved must be identified, prosecuted, have their capacity to certify anything in the future permanently revoked with no exceptions. I do not care if this puts one or more firms out of business -- it not only should IT MUST do exactly that to EVERY certifying entity in the chain. That these devices got through said evaluation is proof of either deliberate act or worse, gross negligence which in turn means every single thing that entity certified must have its certification IMMEDIATELY REVOKED as well until those items can be confirmed as compliant by an adverse (that is, NOT friendly to the original entity) agency and set of individuals.
Imagine this scenario-- you are lying in a hospital after suffering a heart attack. You are attached to a Chinese made heart monitor. The monitor is set to show all good signals, yet you are suffering arrhythmias that indicate you will momentarily have a more serious cardiac episode. You die because the monitor is not sending out the warning it should. This situation could actually occur.
It is bad enough that the US Enslavement (Government) is actually engaged in effort to kill or at least sicken us, do we have to let Commie China do the same? Urge your representatives in Congress to ban all Chinese medical equipment that operates via a computer.
Blood Money by Peter Schweitzer mentions all those representatives in our government who have invited the Chinese Communist Party to invest in America. These traitors really should pay the supreme penalty for their actions; inorder to uphold our Constitution. There should be no exceptions.