Chinese-Made Patient Monitor Contains a Secret Backdoor

hobbes_dent@lemmy.world

It’s ok, surely our governments will keep us safe with their cutting edge cybersecurity practices and Microsoft.

Even a movie with Brad Pitt couldn’t convince that Trojan horses are a winning play. Too busy learning presidential birthplaces and stuff.

thebestaquaman@lemmy.world

At this point I have a hard time believing that anyone can buy a Chinese product and then talk about there being a "secret backdoor" in seriousness.

Come on: We all should know by now that if it's Chinese, there is more likely than not some way for Xi to use it for something other than what you want the product to do. There's nothing "secret" or "back" about this door. It's more like an open front gate with landing strips and a "welcome home Pooh bear" sign.

sunzu2@thebrainbin.org

everything has a backdoor... can we quit pretending that these zero day CVE are not back doors?

or we can't start naming them unless it is Chinese doing it?

deceptichum@quokk.au

Knock it off with the propaganda.

This is literally a deliberate back door.

And no, we can’t call zero days backdoors because they are not same thing.

The equipment, from China-based Contec Medical Systems, was mysteriously configured to connect to an IP address for a third-party university with no connection to the manufacturer.

The backdoor enables the IP address at the unnamed university to remotely download and execute unverified files on the patient monitor, CISA’s report says. In addition, the same backdoor automatically sends patient data to the IP address.

sunzu2@thebrainbin.org

Knock it off with the propaganda.

Please clarify this statement.

1984@lemmy.today

That ip address at a university is probably forwarding everything to some Chinese government agency. Now they can just blame the university and remove any trace of the real guys.

hakfoo@lemmy.sdf.org

There are valid questions, many of which revolve around how and why it's used.

Some systems have brain damaged approaches to diagnostics/logging, license enforcement, or remote service/update systems that create security holes but are not intentionally malicious.

Security is hard and we should remember Hanlon's Razor.

benjaben@lemmy.world

I get lots of mileage out of Hanlon's Razor, and I acknowledge the rampant incompetence that suggests its applicability, but digital security seems like about the least appropriate place to apply this rule of thumb.

acefuzzlord@lemm.ee

Anybody surprised to this must clearly have never looked up any news whatsoever about Communist China once in their life. This kinda stuff is probably common enough that it makes American 3 letter agencies wanna end their lives in embarrassment.

tal@lemmy.today

Frankly, I'm not sure that it's a good idea to have life-critical systems on the Internet in the first place, issues with backdoors aside.

hakfoo@lemmy.sdf.org

As someone who has to deal with PCI compliance issues, there's plenty of noob mistakes, out-of-date thinking and outright "let's log this data for debugging purposes even though if any regulator found out they'd nuke us from orbit."

benjaben@lemmy.world

Fair enough, I can imagine that pretty easily.

roflmasterbigpimp@lemmy.world

something something CIA something something USA WORSE!

llewellyn@lemm.ee

What happened at Tiananmen square?