The Department of Homeland Security (DHS) on Thursday alerted the public that implant heart devices manufactured by medical device giant Medtronic were susceptible to critical security flaws that, if exploited, would allow the devices to be dangerously manipulated.
That the Medtronic security flaws received a Common Vulnerability Scoring System (CVSS) rating of 9.3 (out of a score range of 0–10) underscores the seriousness and ease of exploitation of this security failure. Moreover, the flaws are evidence of a shocking lack of foundational security controls in a product that hundreds of thousands of patients around the world rely on to prevent heart failure.
Medtronic said it was unaware of any cyber attack or patient harm associated with the vulnerabilities.
In a week when Facebook, one of the largest, most technologically adept and financially well-resourced corporations on the planet disclosed a vast security failure of its own — the inadvertent logging of millions of user passwords in plaintext — business and technology leaders should be sitting up and taking note: security is not a one-time event that can effectively be managed through a check-the-box approach. Overreliance on automation is also a losing strategy to the cybersecurity challenge. Even the most diligent corporations need to be re-looking everything they do to assess the efficacy and coverage of security solutions, with a view toward maturing the security posture of products and corporate information.
What went wrong at Medtronic
The Medtronic security weakness could allow a hacker in close physical proximity to a patient wearing one of the affected devices to interfere with the radio frequencies of the company’s proprietary Conexus Wireless Telemetry protocol. This could impact the heart device’s functionality and allow access to the patients’ health data.
To exploit this vulnerability, a hacker would have to connect to the Conexus protocol through one of two methods ((1) an inductive protocol that gets initiated during routine clinic visits and (2) scheduled follow-up transmissions and other operational and safety notifications). Since the Conexus protocol simultaneously lacks any authentication and authorization, and the patients’ health data is transmitted in an insecure manner, a hacker can read and write to any memory addresses on the implanted device, creating the opportunity to abuse functionality.
In response to the disclosure of these vulnerabilities, Medtronic has said it is working to develop a fix. Nonetheless, this episode has undoubtedly undermined trust in the company’s products, which demonstrates how tightly intertwined cybersecurity has become with brand trust.
IoT Security: Key Considerations and Common Pitfalls
In the IoT domain, we see companies tripped up by many issues, the most prevalent being: (1) privileged access management; (2) data storage and deployment of tamper resistant technologies; and (3) security for data-in-transit. Medtronic could have avoided the flaws in its devices had it effectively managed these issues.
Privileged access management (PAM) is necessary for data-at-rest and data-in-transit because it ensures authentication and authorization for privileged users. By having effective PAM, Medtronic would have ensured its communications protocol could be accessed only by privileged users.
We see many companies tripped up by data storage issues and a failure to deploy tamper resistant technologies in the IoT space. We see two primary methods to prevent device tampering: Hardware or software-driven tamper resistant solutions would identify hardware tampering or an adversary reading or writing to a physical address in memory. Software-driven tamper resistant checks may not be full proof but will add to the overall complexity for an attacker. It also provides foundational capability for creating secure storage. When handling sensitive data such as patient health records, IoT manufacturers must ensure they leverage secure storage such as white-box cryptography to secure the information and obfuscate the encryption keys, making it more difficult to compromise. Along with this, whenever you’re storing information on a device ensure that there are stringent controls in place so that only the authorized person can see it, this involves having secure encryption keys for performing security attestation of the firmware, the kernel and any sensitive data stored on the device.
Additionally, effective encryption of data-in-transit is a must. With the increasing sophistication of hackers, it is critical to encrypt sensitive data in transit for these devices. An unencrypted channel provides a hacker with an easy way to sniff network traffic, potentially leading to leakage of patients’ sensitive information.
The security lapse at Medtronic underscores the need for end-to-end information security assurance processes for IoT products. Companies large and small should consider engaging an outside expert to provide a level of assurance around the work internal teams have done. Particularly in the IoT space, we see too many companies producing products that lack foundational security controls to manage how data is stored and transmitted. Supplementing internal efforts with a complete and unbiased picture of the security risks associated with innovative IoT technologies can help produce more secure products.