Practical (in)security of IoT and medical IT systems

AuthorSaatjohann, Christoph
AdvisorSchinzel, Sebastian
AbstractDigitalization is an emerging topic in the health sector. The advantages are clear: faster communication between health professionals, instant availability of patient documents, improved safety in the context of medication interaction, and avoidance of double examinations are only some of them. In a perfect digital health system, no patient has to carry and store DVDs with x-ray data anymore since this data is stored in a secure electronic patient record, accessible from every health professional, and authorized by the patient himself. Doctors do not send letters, faxes, or unencrypted emails. Instead, they use secure encrypted emails or smartphone messengers to exchange patient diagnoses with other treatment personnel. But where are we in this medical transition process in terms of security? Is the patient data secured against attackers? These essential questions must be answered before personal data is stored on connected devices, and patient health relies on such digital data. In the first part of this thesis, we conducted a study on commonly used smartwatches for children used by parents to track and communicate with their children. Nearly all manufacturers of these watches also use their watch and infrastructure platform as a home emergency system with smartwatches for elderly or disabled people to enter the patient care market. Parents use smartwatches for their children as remote supervision to achieve a high sense of safety and allow their children to be more independent. We found that such remote supervision can often be manipulated. The found vulnerabilities, e.g., retrieving and manipulating the location data of the tracked children’s watches, are especially critical because they counteract the purpose of such watches. Cybersecurity flaws in the cardiologic ecosystem, consisting of implantable devices, home monitoring units, and programmers, can influence the patient’s health. We found vulnerabilities in the ecosystem that attackers can use to harm individual, selected persons. These findings lead to a CISA advisory with mitigation for hospitals and five CVEs, directly reducing patient risk. Alongside cybersecurity vulnerabilities, our study on the privacy processes of cardiac implant manufacturers shows significant deficiencies and incomplete answers to patient requests. Smartphone apps store and process sensitive, depending on the app also medical, user information. For answering the question which information can be forensically recovered from these apps, we analyze what data from automotive apps can be revealed from a smartphone once it is physically available. The user device is just one part of the medical system. Even when the patient data is secured here, the data processing on the infrastructure must be secured as well. In the second part of the thesis, we analyzed typical medical infrastructure. We show that devices and systems in medical facilities still use network protocols designed in the eighties when hardly anyone had thought about global public networks or even attackers with access to them. Even when security mechanisms are theoretically available, their usage often fails in practice due to missing standardization and incompatible software implementations. A cyber attack on a hospital can have dramatic consequences. Determining the direct impact on care quality in advance is challenging. However, such estimations are essential for proper risk management and accurate operational and financial decisions in a hospital. We present a model and software for the simulation of different scenarios regarding the availability of resources and the amount and severity of new hospitalizations. Latest medical communication methods use emails with End-to-End Encryption (E2EE) to secure patient health data against attackers. We answer a remaining question in the research about E2EE emails, whether there are practical format oracle attacks and how such attacks can be prevented in general. In conclusion, this thesis uncovered substantial risks in widely used digital communication technology and medical IT systems using scientific research methods. We contribute to this socially important subject by describing means to mitigate these risks. Some of our suggestions were already adopted, securing personal user data and improving patient safety.