Abusing IoT Medical Devices For Your Precious Health Records presented at DerbyConVIIIEvolution 2018

by Saurabh Harit, Nick Delewski,

Summary : This talk discusses the risks of connected healthcare devices. It looks at the benefits of adopting IoT for medical devices, current exposure, common communication channels in use as well as interconnectivity approaches used with other critical components. Based off output from security assessments performed against medical devices widely deployed at various hospitals and medical institutions, we will present an in-depth analysis of the target medical device and elaborate on how we were able to compromise them to gain access to plethora of medical records from all the medical institutions they were deployed at and not just the one where our target devices were hosted.We will introduce the threat surface exposed by various medical devices and present some of the real-world attacks against some popular devices & their impact on humans as well as the overall ecosystem they are connected to. Some devices rely on proprietary hardware on licensed bands, which reduces the risk of interference from consumer connected devices, but doesn’t provide security as implied in marketing materials. Others rely on standard WiFi security measures for confidentiality and are prone to MitM attacks. Healthcare devices that implement IrDA could yield interesting results when interfaced with cheap $10 hardware.There are many consumer items that fall under the umbrella of IoT and while it may be hard to understand the impact of hacking a toaster, we can all agree that manipulation of a medical device could lead to rather serious consequences. Apart from putting a patient's life at risk, an attacker could compromise a healthcare device to steal patient data. This presentation will primarily focus on the latter with real-world examples and a case study. We will demonstrate the compromise of a healthcare device to steal medical records, which typically include PII, health insurance data, medical history, SSNs, prescriptions etc.