In the past few years, increased focus and scrutiny of medical devices by security researchers has resulted in improved awareness of medical device security risks.
Interestingly, in many cases the security researcher had a very personal and literal connection to the medical device -- that is, they were actual users of the device itself.
A few examples:
The work done by security researchers on their own devices is only the beginning of what we can expect will be a deluge of medical device related vulnerabilities, and it’s worthwhile to explore some of the reasons as to why the current situation is the way it is now.
One key reason is that typical security researchers face many barriers to entry that can prevent them from obtaining medical devices on their own.
For example, while all kinds of medical devices are on sites such as eBay, FDA-imposed aftermarket sales restrictions can prevent or dissuade the casual, “hobbyist” security researcher from simply bidding for a medical device on eBay and easily getting hand’s on access. For example, see the eBay policy on medical device sales.
The restrictions and laws relevant to medical devices are complex, and can inhibit a security researcher from pursuing a aftermarket purchase. For those seeking answers, the FDA’s Division of Small Manufacturers, International and Consumer Assistance (DSMICA) may be able to provide assistance and clarification, but be warned, this is a convoluted area. For example, an individual’s inquiry to the FDA DSMICA about the restrictions and legality of into purchasing a hyperbaric chamber is enlightening.
Changing the Medical Device Threat Model
Medical device vendor awareness of the security threat is, in some respects, as Kevin Fu of University of Massachusetts puts it, in a “medieval” state. In fact, Dr. Fu recently noted that he has “yet to find a single company that issues digital signatures or hashes of medical device downloads."
A hopeful sign is that due to the work of these security researchers presenting at conferences (hacker, academic and industry), various organizations like DHS are recognizing the threat and we are seeing awareness publications like the recent DHS “Attack Surface: Healthcare and Public Health Sector” urging an increased focus on medical device wireless connectivity.
As security community interest in conducting analysis of medical devices grows, we’ll see more security researchers figuring out ways to get their hands on these devices. And it’s worth mentioning the emergence of some formalized efforts, such as the “Open Medical Device Research Library" at http://omdrl.org and their impact of making inroads to providing vetted security researchers physical access to these devices.
From a more grass-roots and individual/small group level, we should expect security researchers of all shades of grey to make progress in garnering access to medical devices.
This may happen through several channels, for example via aftermarket medical device purchases from unsavory or unaware aftermarket retailers, to researchers working to obtain the credentials and FDA approval paperwork needed to buy/sell medical devices as a business, but with the true objective of simply gaining access to a variety of medical devices.
Looking to the past, we can see this kind of hacker interest and progression in the article “The long, strange trip of the L0pht” where the members of the L0pht recalled the early Boston days in the late 90’s and what happened when Richard Clarke got a tour of the L0pht’s lab space:
"After showing the feds around for a couple of hours and talking about the projects the group was working on and how the members went about their research, the L0pht crew was a little dismayed to see Clarke and his cohorts huddled together, speaking in hushed tones."
"This did not sit well with Mudge and the others. Gesturing to the beer sitting in front of him, Mudge told the audience: Having a bit of the Irish courage in me by that point, I went over to them and said, 'Look, we brought you guys in here and opened the kimono and showed you what we do here and now you're out here whispering. You have to tell me what you're talking about.'"
"So Richard Clarke says, 'Ok, I'll tell you. We were just saying that the CIA guys have told us that the only way anyone could do this stuff was with funding from a foreign government.'"
"He told us, 'You've changed our entire threat model.'"
In many respects, I see the current medical device security situation as similar to that time back in the late 90s when the L0pht opened eyes and minds to new threat models and the capability of small, focused groups of security folks dedicated to getting access, code, gear, etc.
In the current state of affairs, it’s not unrealistic to state that medical device manufacturers have too long enjoyed insulation from security researcher analysis and a pervasive “security by obscurity” situation.
It's starting out as personal, but clearly the situation is rapidly changing and expanding.