Abstract
The growth of IoT technology, increasing prevalence of embedded devices, and advancements in biomedical technology have led to the emergence of numerous wearable health monitoring devices (WHMDs) in clinical settings and in the community. The majority of these devices are Bluetooth Low Energy (BLE) enabled. Though the advantages offered by BLE-enabled WHMDs in tracking, diagnosing, and intervening with patients are substantial, the risk of cyberattacks on these devices is likely to increase with device complexity and new communication protocols. Furthermore, vendors face risk and financial tradeoffs between speed to market and ensuring device security in all situations. Previous research has explored the security and privacy of such devices by manually testing popular BLE-enabled WHMDs in the market and generally discussed categories of possible attacks, while mostly focused on IP devices. In this work, we propose a new semi-automated framework that can be used to identify and discover both known and unknown vulnerabilities in WHMDs. To demonstrate its implementation, we validate it with a number of commercially available BLE-enabled enabled wearable devices. Our results show that the devices are vulnerable to a number of attacks, including eavesdropping, data manipulation, and denial of service attacks. The proposed framework could therefore be used to evaluate potential devices before adoption into a secure network or, ideally, during the design and implementation of new devices.
- 2010. Binwalk. Retrieved November 29, 2019 from https://www.refirmlabs.com/binwalk/.Google Scholar
- 2014. High Level Organization of the Standard, Penetration Testing Execution Standard (PTES). Retrieved November 3, 2019 from http://www.pentest-standard.org/index.php/Main_Page.Google Scholar
- John Padgette, John Bahr, Mayank Batra, Marcel Holtmann, Rhonda Smithbey, Lidong Chen, and Karen Scarfone. 2017. Guide to Bluetooth Security, NIST Special Publication 800-121 Revision 2.Google Scholar
- 2019. Bluetooth Core Specification, ver. 5.1, Bluetooth SIG. Retrieved from https://www.bluetooth.com/bluetooth-resources/bluetooth-core-specification-v5-1-feature-overview/.Google Scholar
- 2019. Bug Reporting, Profiles and Logs. Retrieved November 3, 2019 from https://developer.apple.com/bug-reporting/profil es-and-logs/?platform=ios.Google Scholar
- 2019. Kismet. Retrieved November 29, 2019 from https://www.kismetwireless.net.Google Scholar
- 2019. OpenVAS—Open Vulnerability Assessment Scanner. Retrieved November 29, 2019 from https://www.openvas.org/.Google Scholar
- Ahmad W. Atamli and Andrew Martin. 2014. Threat-based security analysis for the internet of things. In Proceedings of the International Workshop on Secure Internet of Things (SIoT’14). IEEE, 35–43. Google Scholar
Digital Library
- Attestation of Global Compliance. [n.d.]. Buetooth Qualification Process.Google Scholar
- Taha Belkhouja, Amr Mohamed, Abdulla K. Al-Ali, Xiaojiang Du, and Mohsen Guizani. 2018. Light-weight solution to defend implantable medical devices against man-in-the-middle attack. In Proceedings of the IEEE Global Communications Conference (GLOBECOM’18). IEEE, 1–5.Google Scholar
Cross Ref
- P. K. Binu, Karun Thomas, and Nithin P. Varghese. 2017. Highly secure and efficient architectural model for IoT based health care systems. In Proceedings of the International Conference on Advances in Computing, Communications and Informatics (ICACCI’17). IEEE, 487–493.Google Scholar
- Inc. Bluetooth SIG. 2018. Bluetooth market update.Google Scholar
- A. J. Burns, M. Eric Johnson, and Peter Honeyman. 2016. A brief chronology of medical device security. Commun. ACM 59, 10 (2016), 66–72. Google Scholar
Digital Library
- Carmen Camara, Pedro Peris-Lopez, and Juan E. Tapiador. 2015. Security and privacy issues in implantable medical devices. Journal of Biomedical Informatics 55, (2015). 272–289 Google Scholar
Digital Library
- Siemens CERT. 2019. Vulnerability in Laboratory Diagnostics Products from Siemens Healthineers. Retrieved from https://cert-portal.siemens.com/productcert/txt/ssa-832947.txt.Google Scholar
- Siemens CERT. 2020. SSA-616199: BlueKeep Vulnerability Identified in RAPIDPoint 500 Operating on Windows XP. Retrieved from https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf.Google Scholar
- Hsinchun Chen. 2011. Smart health and wellbeing [Trends & Controversies]. IEEE Intell. Syst. 26, 5 (2011), 78–90. Google Scholar
Digital Library
- Gerald Combs et al. 2019. Wireshark. Retrieved November 29, 2019 from https://www.wireshark.org/.Google Scholar
- IHE PCD Technical Committee. 2015. Medical Device Software Patching. Retrieved from https://www. ihe.net/uploadedFiles/Documents/PCD/IHE_PCD_WP_Patching_Rev1.1_2015-10-14.pdf.Google Scholar
- Brian Cusack, Bryce Antony, Gerard Ward, and Shaunak Mody. 2017. Assessment of security vulnerabilities in wearable devices. In the Proceedings of 15th Australian Information Security Management Conference, 5–6 December, 2017, Edith Cowan University, Perth, Western Australia. 42–48.Google Scholar
- Office of Public Affairs Department of Justice. 2010. Medical Device Manufacturer Guidant Charged in Failure to Report Defibrillator Safety Problems to FDA. Retrieved from https://www.justice.gov/opa/pr/medical-device- manufacturer-guidant-charged-failure-report-defibrillator-safety-problems-fda.Google Scholar
- Mohamed Elhoseny, Gustavo Ramírez-González, Osama M. Abu-Elnasr, Shihab A. Shawkat, N. Arunkumar, and Ahmed Farouk. 2018. Secure medical data transmission model for IoT-based healthcare systems. IEEE Access 6 (2018), 20596–20608.Google Scholar
Cross Ref
- FDA. 2017. Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication. Retrieved from https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm.Google Scholar
- FDA. 2019. Cybersecurity Vulnerabilities Affecting Medtronic Implantable Cardiac Devices, Programmers, and Home Monitors: FDA Safety Communication. Retrieved from https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-affecting-medtronic-implantable-cardiac-devices-programmers-and-home.Google Scholar
- FDA. 2019. Cybersecurity Vulnerabilities in Certain GE Healthcare Clinical Information Central Stations and Telemetry Servers: Safety Communication. Retrieved from https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-ge-healthcare-clinical-information-central-stations-and.Google Scholar
- FDA. 2019. SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices: FDA Safety Communication. Retrieved from https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication.Google Scholar
- Center for Devices and Radiological Health. 2017. Deciding When to Submit a 510(k) for a Software Change to an Existing Device, FDA-2016-D-2021. Retrieved from https://www.fda.gov/regulatory-information/search-fda-guidance-documents/deciding-when-submit-510k-software-change-existing-device.Google Scholar
- Mengmeng Ge, Jin B. Hong, Walter Guttmann, and Dong Seong Kim. 2017. A framework for automating security analysis of the Internet of Things. J. Netw. Comput. Appl. 83 (2017), 12–27. Google Scholar
Digital Library
- Shyamnath Gollakota, Haitham Hassanieh, Benjamin Ransford, Dina Katabi, and Kevin Fu. 2011. They can hear your heartbeats: Non-invasive security for implantable medical devices. In Proceedings of the ACM SIGCOMM Computer Communication Review, Vol. 41. ACM, 2–13. Google Scholar
Digital Library
- R. Goyal, N. Dragoni, and A. Spognardi. 2016. Mind the tracker you wear: A security analysis of wearable health trackers. In Proceedings of the 31st Annual ACM Symposium on Applied Computing. 131–136. Google Scholar
Digital Library
- Kristen N. Griggs, Olya Ossipova, Christopher P. Kohlios, Alessandro N. Baccarini, Emily A. Howson, and Thaier Hayajneh. 2018. Healthcare blockchain system using smart contracts for secure automated remote patient monitoring. J. Med. Syst. 42, 7 (2018), 130. Google Scholar
Digital Library
- Z. Guo, I. G. Harris, Yutong Jiang, and L. Tsaur. 2017. An efficient approach to prevent Battery Exhaustion Attack on BLE-based mesh networks. In Proceedings of the International Conference on Computing, Networking and Communications (ICNC’17). 1–5.Google Scholar
- Keijo Haataja and Pekka Toivanen. 2010. Two practical man-in-the-middle attacks on bluetooth secure simple pairing and countermeasures. Trans. Wireless. Comm. 9, 1 (Jan. 2010), 384–392. Google Scholar
Digital Library
- M. L. Hale, D. Ellis, R. Gamble, C. Waler, and J. Lin. 2015. SecuWear: An open source, multi-component hardware/software platform for exploring wearable security. In Proceedings of the IEEE International Conference on Mobile Services. 97–104. Google Scholar
Digital Library
- Matthew L. Hale, Kerolos Lotfy, Rose F. Gamble, Charles Walter, and Jessica Lin. 2019. Developing a platform to evaluate and assess the security of wearable devices. Digit. Commun. Netw. 5, 3 (2019), 147–159.Google Scholar
Cross Ref
- Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel. 2008. Security and privacy for implantable medical devices. IEEE Perv. Comput. 7, 1 (2008), 30–39. Google Scholar
Digital Library
- Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel. 2008. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In Proceedings of the IEEE Symposium on Security and Privacy (SP’08). IEEE, 129–142. Google Scholar
Digital Library
- Jeremy A. Hansen and Nicole M. Hansen. 2010. A taxonomy of vulnerabilities in implantable medical devices. In Proceedings of the 2nd Annual Workshop on Security and Privacy in Medical and Home-care Systems. ACM, 13–20. Google Scholar
Digital Library
- Shaikh Shahriar Hassan, Soumik Das Bibon, Md Shohrab Hossain, and Mohammed Atiquzzaman. 2018. Security threats in bluetooth technology. Comput. Secur. 74 (2018), 308–322. Google Scholar
Digital Library
- Jason Healey, Neal Pollard, and Beau Woods. 2015. The Healthcare Internet of Things: Rewards and Risks. Atlantic Council Report, March 18 (2015).Google Scholar
- Kit Huckvale, José Tomás Prieto, Myra Tilney, Pierre-Jean Benghozi, and Josip Car. 2015. Unaddressed privacy risks in accredited health and wellness apps: A cross-sectional systematic assessment. BMC Med. 13 (09 2015), 214.Google Scholar
- Ponemon Institute. 2017. Medical Device Security: An Industry under Attack and Unprepared to Defend. Retrieved from http://www.counciltoreduceknowncybervulnerabilities.org/wp-content/uploads/2017/05/Ponemon-Synopsys-Report-Final.pdf.Google Scholar
- Jennifer Ann Janesko. 2018. Bluetooth Low Energy Security Analysis Framework. Technical Report. RHUL–ISG–2018–5. 5 April 2018. Information Security Group.Google Scholar
- Slawomir Jasek. 2016. Gattacker. Retrieved from https://github.com/securing/gattacker.Google Scholar
- Niraj K. Jha, Anand Raghunathan, and Meng Zhang. 2013. Securing medical devices through wireless monitoring and anomaly detection. September 19 2013. US Patent App. 13/839,768.Google Scholar
- Kaspersky Lab. [n.d.]. Kaspersky Security Bulletin: Kaspersky Lab Threat Prediction for 2018. Retrieved from https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07164714/KSB_Predictions_2018_eng.pdf.Google Scholar
- Chunxiao Li, Anand Raghunathan, and Niraj K. Jha. 2011. Hijacking an insulin pump: Security attacks and defenses for a diabetes therapy system. In Proceedings of the IEEE 13th International Conference on e-Health Networking, Applications and Services. IEEE, 150–156.Google Scholar
- Angela M. Lonzetta, Peter Cope, Joseph Campbell, Bassam J. Mohd, and Thaier Hayajneh. 2018. Security vulnerabilities in Bluetooth technology as used in IoT. J. Sens. Actuator Netw. 7, 3 (2018), 28.Google Scholar
Cross Ref
- Eduard Marin, Dave Singelée, Flavio D. Garcia, Tom Chothia, Rik Willems, and Bart Preneel. 2016. On the (in) security of the latest generation implantable cardiac defibrillators and how to secure them. In Proceedings of the 32nd Annual Conference on Computer Security Applications. 226–236. Google Scholar
Digital Library
- Svetlin Nakov. 2018. Practical Cryptography for Developers.Google Scholar
- Offensive Security. [n.d.]. Kali OS. Retrieved November 29, 2019 from https://www.kali.org/.Google Scholar
- Kristen O’Loughlin, Martha Neary, Elizabeth C. Adkins, and Stephen M. Schueller. 2019. Reviewing the data security and privacy policies of mobile apps for depression. Internet Intervent. 15 (2019), 110–115.Google Scholar
Cross Ref
- Sode Pallavi and V. Anantha Narayanan. 2019. An overview of practical attacks on BLE Based IOT devices and their security. In Proceedings of the 5th International Conference on Advanced Computing & Communication Systems (ICACCS’19). IEEE, 694–698.Google Scholar
- Achilleas Papageorgiou, Michael Strigkos, Eugenia Politou, Efthimios Alepis, Agusti Solanas, and Constantinos Patsakis. 2018. Security and privacy analysis of mobile health applications: The alarming state of practice.IEEE Access 6 (2018), 9390–9403.Google Scholar
- Youngseok Park, Yunmok Son, Hocheol Shin, Dohyun Kim, and Yongdae Kim. 2016. This ain’t your dose: Sensor spoofing attack on medical infusion pump. In Proceedings of the 10th USENIX Workshop on Offensive Technologies (WOOT’16). Google Scholar
Digital Library
- Hoai Luan Pham, Thi Hong Tran, and Yasuhiko Nakashima. 2018. A secure remote healthcare system for hospital using blockchain smart contract. In Proceedings of the IEEE Globecom Workshops (GC Wkshps’18). IEEE, 1–6.Google Scholar
Cross Ref
- Vernessa Pollard and Mahnu Davar. 2017. FDA’s Evolving Civil Money Penalty Authority: Simple Violations Can Lead to Major Costs. Retrieved from https://www.mastercontrol.com/gxp-lifeline/civil _money_penalty_authority_0609/.Google Scholar
- Laurie Pycroft and Tipu Z. Aziz. 2018. Security of implantable medical devices with wireless connections: The dangers of cyber-attacks. Expert Rev Med Devices 15, 6 (2018), 403–406.Google Scholar
Cross Ref
- Jerome Radcliffe. 2011. Hacking medical devices for fun and insulin: Breaking the human SCADA system. In Black Hat Conference Presentation Slides, Vol. 2011.Google Scholar
- Mahmudur Rahman, Bogdan Carbunar, and Madhusudan Banik. 2013. Fit and vulnerable: Attacks and defenses for a health monitoring device. In Proceedings of the 6th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs’13).Google Scholar
- Apala Ray, Vipin Raj, Manuel Oriol, Aurelien Monot, and Sebastian Obermeier. 2018. Bluetooth low energy devices security testing framework. In Proceedings of the IEEE 11th International Conference on Software Testing, Verification and Validation (ICST’18). IEEE, 384–393.Google Scholar
Cross Ref
- VynZ Research. [n.d.]. Global Network Connected Medical Devices Market Was Valued at USD 20.0 Billion in 2018, Observing a CAGR of 24.0 during 2019–2024: VynZ Research. Retrieved from https://www.globenewswire.com/news-release/2019/12/23/1964239/0/en/Global-Network-Connected-Medical-Devices-Market-was-valued-at-USD-20-0-billion-in-2018-Observing-a-CAGR-of-24-0-during-2019-2024-VynZ-Res earch.html.Google Scholar
- Michael Rushanan, Aviel D. Rubin, Denis Foo Kune, and Colleen M. Swanson. 2014. SoK: Security and privacy in implantable medical devices and body area networks. In Proceedings of the IEEE Symposium on Security and Privacy (SP’14). IEEE Computer Society, 524–539. Google Scholar
Digital Library
- Mike Ryan. 2013. Bluetooth: With Low energy comes low security. In Proceedings of the 7th USENIX Workshop on Offensive Technologies (WOOT’13). USENIX Association. Google Scholar
Digital Library
- S. Seneviratne, Y. Hu, T. Nguyen, G. Lan, S. Khalifa, K. Thilakarathna, M. Hassan, and A. Seneviratne. 2017. A survey of wearable devices and challenges. IEEE Commun. Surv. Tutor. 19, 4 (2017), 2573–2620.Google Scholar
Cross Ref
- Shachar Siboni, Asaf Shabtai, Nils O. Tippenhauer, Jemin Lee, and Yuval Elovici. 2016. Advanced security testbed framework for wearable IoT devices. ACM Trans. Internet Technol. 16, 4 (2016), 26. Google Scholar
Digital Library
- Pallavi Sivakumaran and Jorge Blasco. 2019. A study of the feasibility of co-located app attacks against BLEand a large-scale analysis of the current application-layer security landscape. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). 1–18. Google Scholar
Digital Library
- J. H. Song, R. Poovendran, J. Lee, and T. Iwata. 2006. The AES-CMAC Algorithm. Technical Report 4493. Internet Society Requests for Comment (RFCs).Google Scholar
- Statista Research Department. [n.d.]. Bluetooth Low Energy (BLE) Enabled Devices Market Volume Worldwide, from 2013 to 2020. Retrieved August 2, 2020 from https://www.statista.com/statistics/750569/worldwide-bluetooth-low-energy-device-market-volume/.Google Scholar
- Da-Zhi Sun, Yi Mu, and Willy Susilo. 2018. Man-in-the-middle attacks on secure simple pairing in bluetooth standard V5.0 and its countermeasure. Pers. Ubiq. Comput. 22, 1 (Feb. 2018), 55–67. Google Scholar
Digital Library
- CyberMDX Research Team. 2020. Vulnerability in GE CARESCAPE, ApexPro, and Clinical Information Center (CIC) Systems CISA Advisory (ICSMA-20-023-01). Retrieved from https://www.cybermdx.com/vulnerability-research- disclosures/cic-pro-and-other-ge-devices.Google Scholar
- Ali Tekeoglu and Ali Şaman Tosun. 2016. A testbed for security and privacy analysis of iot devices. In Proceedings of the IEEE 13th International Conference on Mobile Ad Hoc and Sensor Systems (MASS’16). IEEE, 343–348.Google Scholar
Cross Ref
- Timothy Trippel, Ofir Weisse, Wenyuan Xu, Peter Honeyman, and Kevin Fu. 2017. WALNUT: Waging doubt on the integrity of mems accelerometers with acoustic injection attacks. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’17). IEEE, 3–18.Google Scholar
Cross Ref
- Gail A. Van Norman. 2016. Drugs, devices, and the FDA: part 2: An overview of approval processes: FDA approval of medical devices. J. Am. Coll. Cardiol. 1, 4 (2016), 277–287.Google Scholar
- Yue Wu, Yicong Zhou, George Saveriades, Sos Agaian, Joseph P. Noonan, and Premkumar Natarajan. 2013. Local Shannon entropy measure with statistical tests for image randomness. Inf. Sci. 222 (Feb. 2013), 323–342. https://doi.org/10.1016/j.ins.2012.07.049 Google Scholar
Digital Library
- T. Yaqoob, H. Abbas, and M. Atiquzzaman. 2019. Security vulnerabilities, attacks, countermeasures, and regulations of networked medical devices—a review. IEEE Commun. Surv. Tutor. 21, 4 (2019), 3723–3768.Google Scholar
Digital Library
- Muhammad Yaseen, Waseem Iqbal, Imran Rashid, Haider Abbas, Mujahid Mohsin, Kashif Saleem, and Yawar Abbas Bangash. 2019. MARC: A novel framework for detecting MITM Attacks in eHealthcare BLE Systems. J. Med. Syst. 43, 11 (2019), 324.Google Scholar
Cross Ref
- Qiaoyang Zhang, Zhiyao Liang, and Zhiping Cai. 2019. Developing a new security framework for bluetooth low energy devices. Comput. Mater. Contin. 59, 2 (2019), 457–471.Google Scholar
Cross Ref
- Chaoshun Zuo, Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. 2019. Automatic fingerprinting of vulnerable BLE IoT devices with static UUIDs from mobile apps. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’19). Association for Computing Machinery, New York, NY, 1469–1483. Google Scholar
Digital Library
Index Terms
Automated Security Assessment Framework for Wearable BLE-enabled Health Monitoring Devices
Recommendations
A security configuration assessment for android devices
SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied ComputingThe wide spreading of mobile devices, such as smartphones and tablets, and their always-advancing capabilities makes them an attractive target for attackers. This, together with the fact that users frequently store critical personal information in such ...
Applying Augmented Reality to Enable Automated and Low-Cost Data Capture from Medical Devices
ICTD '16: Proceedings of the Eighth International Conference on Information and Communication Technologies and DevelopmentAs an alternative to building custom electronic devices that connect to mobile phones (via Bluetooth or USB), we present a new approach using Augmented Reality (AR) and machine vision to digitally recognize a biomedical device and capture readings ...
Wireless networks, physician handhelds use, and medical devices in U.S. hospitals
WH '15: Proceedings of the conference on Wireless HealthAs wireless technologies such as smartphones, tablets, and other handheld devices continue to permeate into every aspect of everyday life, hospitals have attempted to integrate them into the clinical workflow. Similarly, wireless sensor devices are ...






Comments