Unpatched Security Bugs in Medical Wearables Allow Patient Tracking, Data Theft

Rising critical unpatched vulnerabilities and a lack of encryption leave medical device data defenseless, researcher warn.

Telehealth care is on the rise as medical service providers cope with the strain of a pandemic and rising costs. But the rush to roll out remote healthcare has also unleashed a universe of wearable medical devices to collect sensitive data, which researchers say are widely vulnerable to attack.

Analysts with Kaspersky Labs reported finding 33 vulnerabilities last year in the most widely used data transfer protocol for internet of things (IoT) medical devices, known as MQTT — that’s 10 more than the previous year. All of them put patient data at risk, the team warned.

To put those numbers in perspective, the analysts at Kaspersky said only 90 vulnerabilities in MQTT have been reported since 2014. Worse yet, many of those bugs are still unpatched, they added.

Infosec Insiders Newsletter

“Overall, we expected that 2021 would be a year of greater collaboration between the medical sector and IT security specialists,” the Kaspersky team said. “In some ways, our expectations were met, but the explosive growth of telehealth has brought new challenges to this collaboration which have yet to be solved.”

Experiencing astronomical growth since the onset of the pandemic,  the total medical device market (including healthcare wearables from Apple, FitBit Samsung and several other device-makers) will top $195 billion by 2027, a recent report from Fortune Business Insights predicted.

“The pandemic has led to a sharp growth in the telehealth market, and this doesn’t just involve communicating with your doctor via video software,” said Maria Namestnikova, head of the Russian Global Research and Analysis Team (GReAT) at Kaspersky. “We’re talking about a whole range of complex, rapidly evolving technologies and products, including specialized applications, wearable devices, implantable sensors and cloud-based databases. ”

Medical Device Man-in-the-Middle Troubles

MQTT’s convenience makes it a common solution in most IoT gadgets, including medical devices. But, as the Kaspersky researchers point out, authentication isn’t required, and encryption is sparse, making devices with MQTT exposed to man-in-the-middle attacks and data theft.

Besides just the device, Kaspersky reported finding concerning flaws in the most common wearable device platform, Qualcomm Snapdragon Wearable. The platform has been riddled with bugs, the team added, bringing the total number of vulnerabilities found in the platform since it was launched in 2020 to 400 — many still unpatched.

This makes for an enormous, vulnerable attack surface across the healthcare sector, while attacks are getting more frequent, brazen and destructive.

It’s up to hospitals and medical service providers to build telehealth systems with security in mind, Nate Warfield, CTO of Prevailion wrote in Threatpost last summer. He called on the private sector to lend a hand to shore up critical healthcare infrastructure, and lauded groups like CTI League, COVID-19 Cyber Threat Coalition, formed at the beginning of the pandemic, to share threat intelligence against a rising threat of attack.

“Cyber-threats to healthcare won’t slow down, even after the pandemic is over,” Warfield explained. “Hospitals need to take more aggressive action to fortify themselves against these attacks…They also need to increase their investments in cybersecurity.”

He added, “Advanced defensive tools need to be more accessible to the healthcare sector, information sharing across organizations must be encouraged, and collaboration across all sectors to help defend these life-saving industries should be the norm, not the exception.”

Kaspersky recommended the obvious security factors of using strong passwords and having good user security training, but added that application developers need to do more.

“Application developers need to understand that vulnerabilities in an application and a lack of security in general can make it possible for cybercriminals to gain access to personal conversations between doctors and patients, user databases, payment details and other highly sensitive information,” the Kasperky telehealth report added.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles