Presentation Material

Abstract

This talk will take an educational approach to present our research on assessing medical devices from security standpoint. Based on output from security assessments performed against two medical devices that are widely deployed at various hospitals and medical institutions, we will present an in-depth analysis of the target medical devices, discovered vulnerabilities and our approach that led us to compromise them in order to gain access to plethora of medical records from all the medical institutions they were deployed at and not just the one where our target devices were hosted.

An IoT medical device is part of a complex ecosystem that may expose numerous threats. Some devices rely on proprietary hardware on licensed bands, which reduces the risk of interference from consumer connected devices but doesn’t provide security as implied in marketing materials. Others rely on standard WiFi security measures for confidentiality and are prone to MitM attacks. Healthcare devices that implement IrDA could yield interesting results when interfaced with cheap $ 10 hardware.

This presentation will focus on our assessment approach - test cases, pitfalls, success & failures. We will demonstrate the compromise of a prescription device to extract healthcare records and manipulating various sensitive settings of an infusion pump.