Why are connected medical devices vulnerable to attack and how likely are they to get hacked? Here are five digital chinks in the armor.
There’s virtually no realm in healthcare today that isn’t adopting more technology. From real-time wireless access to your own health parameters through smart watches and wearables to implanted devices inside your body, technology is coming. But can we secure it all?
Several years ago at Black Hat, we saw an insulin pump being hacked. And whether the lion’s share of software on that device was off the shelf, regulators say that the integrator is responsible for security up and down the stack, including the underlying operating system (OS), even if it that OS has a good security track record. In other words: Device manufacturers bear the responsibility, no matter what technology they use.
While that casts the burden of security on the manufacturer, it also steeply increases the cost and complexity of bringing a device to market. As a result, while market pressures lean on companies to produce devices quickly, the road ahead looks rocky and expensive. Also, it can unknowingly put patients on the defense.
And what about patches, who’s responsible for those? According to the FDA, the manufacturer does that too. With some medical devices expected to be around for many years, that’s a long time to pay to support gear in the field.
What makes the devices vulnerable and how likely are they to get hacked? As this week’s theme of Cybersecurity Awareness Month focuses on the security of internet-connected devices in healthcare, here are five digital chinks in the armor:
Many medical devices integrate monitoring and interaction via Bluetooth, which has a long history of vulnerabilities. And while there may be patches, it’s hard to determine the real adoption rate and timeline in the field. Meanwhile, if your blood sugar measurement gets spoofed, you could be in real physical danger if you try to adjust blood glucose levels based on false readings.
Many hospitals have management computers for their medical equipment which run on older, unsupported Windows versions due to lagging updates from the manufacturer that did the integration. A manufacturer can’t simply push the latest Windows patch before extensive testing on their units to see integration issues, so patch vetting can be tricky. A would-be attacker has the advantage here, since they can deploy well-known exploits as soon as they come to light, and long before the manufacturer can react.
Many implanted devices “phone home” to medical clinicians through cloud connectivity to facilitate health status updates and trigger events where patients may need to seek attention. As we saw this year at Black Hat and DEF CON, cloud security can be less than stellar. It’s unlikely the patient would have a way to know about potential vulnerabilities, but attackers are quick to seize on known exploits, pumping them through their attack frameworks quite rapidly. In some cases, patients have opted out of external communications with their pacemakers citing hacking fears, but cloud adoption for implanted devices has strong tailwinds pushing further adoption.
Many medical devices plug into medical TCP/IP networks via Ethernet, but it would be very difficult for many clinicians and patients to notice a network tap placed inline with existing connections. By exfiltrating data across wireless links embedded in such a tap, attackers could snoop traffic and craft exploits. This way, attackers only need one-time physical access, and don’t necessarily have to return to retrieve the device if it’s deemed dangerous, due to their low cost.
Keyloggers have been standard fare for logging keystrokes from wireless keyboards for some time now, posing as fake USB chargers plugged into outlets, while simultaneously snooping for signals and exfiltrating them across industrial 4G wireless cards. This allows the capture of sensitive data like typed passwords, but can also allow attackers to attempt to download and install remote backdoor exploits by bypassing warning prompts from security products.
The medical field has been on its heels – security wise – for years. And while it may be making important strides, many medical devices have been performing fine all those years, lessening the perceived need to act. It will be a challenge to “modernize the fleet” for some years to come. Even so, medical folk have started to lean into the process and get the technical chops on staff to start moving the needle. Meanwhile, it might be wise to get to know any vulnerabilities that might affect your medical devices, especially if they are critically involved in your health care, as so many are.