LAS VEGAS—By now, we’ve grown relatively accustomed to the idea that Internet of Things devices are inherently vulnerable. Left unpatched, they can be exploited by attackers in ingenious and destructive ways, as we saw when the Mirai botnet deployed an army of insecure “security” cameras to attack Domain Name System servers last fall, pushing dozens of popular websites offline.

One thing we probably haven’t quite internalized: When an Internet-connected device is implanted in your body to help you maintain your heart rate or regulate the insulin in your bloodstream, bad security can quite literally be hazardous to your health.

At the 25th DefCon conference here last weekend, security researchers took on a new challenge: uncovering flaws in dozens of biomedical devices, from pacemakers and insulin pumps to glucose monitors and digital intravenous drips.

Bringing biomed to DefCon was more about starting a dialogue about security—and thus safety—than hacking devices, says Beau Woods, deputy director of Cyber Statecraft Initiative at the Atlantic Council, and a member of I Am The Cavalry, a volunteer organization that oversaw DefCon’s Biohacking Village.



READ MORE ON THE INTERNET OF THINGS

Critical systems at heart of WannaCry’s impact
Time for a Department of the Internet of Things?
The long reach of Mirai, the Internet of Things botnet
Hackers call for federal funding, regulation of software security
Shut the front door: The state of the ‘smart’ lock
5 questions to ask before buying an IOT device
Living on the edge of heartbreak: Researcher hacks her own pacemaker


“We wanted to encourage a safe space for medical-device makers, security researchers, health care practitioners, the FDA [Food and Drug Administration], and others to come together and have conversations,” he says.

It couldn’t come at a better time. Biomed security is in critical condition, says Aditya Gupta, CEO of IoT security firm Attify.

“We have worked with a number of medical companies in the U.S. and India, and found all sorts of vulnerabilities,” says Gupta, who used the conference in part to promote his recently published IoT Hacker’s Handbook. “Even extremely sensitive medical devices are really insecure.”

The real dangers

Once attackers gain access to a biomedical device, they could use a radio replay attack—intercepting signals sent by the device, altering them, and sending them back—Gupta says. For example, attackers could alter an insulin pump to increase the flow of insulin to a diabetic patient’s bloodstream.

“Let’s say the device is supposed to deliver 0.2 milligrams of insulin every hour,” he says. “An attacker could change that to 20mg every 2 seconds,” killing the patient rather quickly.

Radio replay vulnerabilities are the most common flaw in medical devices, Gupta says, because most devices transmit their data unencrypted.

Attackers could also “weaponize physicians” by giving them false information, says Ted Harrington, executive partner at Independent Security Evaluators and organizer of DefCon’s IoT Village.

“They had to shut down parts of the hospital.”Aditya Gupta, author of IoT Hacker’s Handbook and CEO of Attify.

An attacker could manipulate a heartbeat monitor, for example, to indicate that a patient’s heart has stopped when it, in fact, has not, Harrington says. This scenario could prompt a physician to jolt the patient with 300 volts of electricity. Conversely, attackers could prevent a monitor from indicating when patients are suffering actual cardiac events—with dire consequences.

Rather than victimize individual patients, however, attackers are more likely to shut down a hospital’s entire network, seeking financial reward, Gupta acknowledges. Over the last couple of years, attackers intent on making fast cash have launched a bevy of ransomware attacks on health care providers, locking up their systems until a ransom is paid. In some cases, the attacks locked hospitals out of medical systems as well as computers.

One Midwest provider that fell victim to ransomware “called in three or four security companies to remove it, but eventually ended up paying the entire ransom,” Gupta recalls. “They had to shut down parts of the hospital.”

Up close and personal

Many connected biomed devices lack basic protections against common attacks precisely because they weren’t initially designed to even connect to a network, Woods says.

“Because of changes in policy, medical capabilities, and health insurance, these devices were retrofitted to be massively connected to everything,” he says.

According to a June 2017 report by the Health Care Industry Cybersecurity Task Force, a single piece of legacy technology equipment contained more than 1,400 vulnerabilities.

Health care organizations often have good reasons for connecting these devices to the network, Woods says. For example, increasing the amount of data available to physicians can lead to better outcomes for patients. But prioritizing the “meaningful use” of devices over secure design has plagued connected medical devices for years.

“One of the founders of I Am The Cavalry, Josh Corman, calls it ‘the original sin of health care,’” Woods adds.

Devices that connect wirelessly to other equipment can also be compromised, Harrington notes.

“In some cases, you might need to wave a wand within 2 inches of the patient to communicate with the device, which lowers the probability of an attack,” he says. “Still, all an attacker has to do is figure out how to intercept that traffic and amplify the signal.”

And some devices can be attacked from a surprising distance, Gupta says.  

“In most cases, you have to be within a certain range, but using a good directional antenna, you would be able to compromise some devices from a half mile away,” he says.

Bad medicine

Woods says that while security varies widely across the medical-device industry, security researchers, regulators, and others are driving major improvements.

“The best medical devices from the best device makers are really good,” he says. “The worst devices, which may be 30 years old, from a company that’s gone out of business, will have really bad security.”

I Am The Cavalry, Woods adds, has created a Hippocratic Oath for Connected Medical Devices to encourage device makers to embrace better security practices.

Gupta says that while most major medical-device makers are working to patch vulnerabilities, many health care organizations fear that publicizing their flaws will draw unwanted attention from cybercriminals.

“They’d rather remain insecure and just not talk about it,” he says, pointing out the fallacy of so-called security through obscurity.

Connected medical devices’ biggest security problem, Woods says, is a lack of technical expertise in medical organizations.

“The most troubling thing is the fact that most health care providers don’t have a single security person on staff,” he says. “Many medical providers have fewer than 10 employees. If the trade-off is to hire a new physician or a CIO, most of them will decide in favor of the physician.”