In this Bloomberg article, Jordan Robertson discusses how medical devices have flaws that attackers can take advantage of. This is very common place, as embedded developers place an emphasis on features and functions over security or privacy in a memory limited device. It is also a rather simplistic one, as no hacker really gains any benefit from increasing or lowering your insulin rates. Granted, the author alludes to a new type of assassin, as someone getting within 300ft of you and causing your pacemaker to stop would make a very efficient assassination. Although this example is a real possibility, it’s unlikely: most sophisticated attackers seek higher gains for their attacks, looking for thousands of credit card numbers or other sorts of information.
I am going to make a leap of logic here… Let’s say we’re talking about a heart rate monitor, patient entry (iPad application) or other medical device in use by hospitals today. They may connect to a hospital database via wireless or other standard computing protocols to track numerous types of information, like patient names, medicine dispense rates, inventory, social security numbers, and addresses and phone numbers (and BTW, 3 of those together – name, address and phone – are considered Personally Identifiable Information, which has to be protected as per State and Government legislation like NIST 800-122. And a hospital database is a very attractive target. Which leads to the bigger question, do the manufacturers of these medical devices use the correct encryption, Authorization (AuthZ) or Authentication (AuthC) routines? Have they tested for security flaws that may allow an attacker to use their device as an entry point into the medical network, without knowing the role or intent of the new network denizen? Do they do vignettes as per the Common Weakness Risk Analysis Framework, to determine risk, access via interoperability and how the device is run? Let’s face it, these types of devices are now surfacing as a threat in a notoriously wide open environment. No one wants to cause a doctor not to be able to access patient data, fail to dispense medicine or cause a death.
FDA involvement really does drive higher interest in security testing for medical devices.It’s interesting, as we’ve been working in this market years… And you’d probably be surprised at how many of our customers realize that what was once a code quality issue is now a security issue.
Jay Radcliffe presented some of these ideas two years ago at Black Hat, a renowned application security convention. This year’s event begins on July 27th in Las Vegas – if you’re around, why not swing by the Coverity booth. I’ll be there – and would love to get your take on security in mission critical devices. Just tweet me @jjacott to set up a time to chat.
The post Medical Devices: How Secure Are They? And want to discuss this at BlackHat/DefCon? appeared first on Software Testing Blog.
