Episode 7 · December 24, 2024 · 23m listen · 3,978 words · ~20 min read
The Evolution of Medical Device Cyber Threats: Past, Present, and Future | Ep. 6 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 7 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
This episode of "The Med Device Cyber Podcast" delves into the evolution of medical device cybersecurity threats, offering essential insights for product security teams, regulatory leads, and engineers. Beginning with historical incidents like the Dick Cheney pacemaker concerns and Barnaby Jack's insulin pump hack, the discussion highlights the early recognition of wireless vulnerabilities in implantable devices. The conversation then transitions to the present, focusing on the FDA's 2023 guidance, which emphasizes designing secure medical devices throughout their entire lifecycle. The episode addresses the significant challenges posed by millions of legacy devices currently in the field and the industry's push for transparency through Software Bill of Materials (SBOMs) to articulate cybersecurity risks. Looking ahead, the episode explores future concerns such as autonomous surgical robots and the dual-edged sword of artificial intelligence in both defending and attacking medical infrastructure. Product security professionals and regulatory specialists will find the discussion on evolving threats, current regulatory landscape, and future considerations invaluable for mitigating risks and ensuring patient safety.
Key takeaways from this episode
Early medical device hacks, such as those involving pacemakers and insulin pumps, demonstrated critical vulnerabilities in wireless connectivity and the severe patient risks associated with them.
The FDA's 2023 guidance has shifted the industry towards integrating cybersecurity throughout the entire medical device lifecycle, from design to disposal.
Addressing the cybersecurity of millions of legacy medical devices in the field remains a significant challenge, requiring ongoing security research and responsible vulnerability disclosure.
Transparency through Software Bill of Materials (SBOMs) is crucial for device manufacturers to articulate cybersecurity risks to healthcare providers and patients.
The future of medical device cybersecurity will contend with emerging threats from autonomous surgical robots and the offensive and defensive applications of artificial intelligence.
Proximity is not a sufficient security control for wireless medical devices, as specialized equipment can enable remote exploitation from significant distances.
In this episode, we're going to cover the evolution of medical device cyber threats: some of the past, the present, and the future. Let's start off with the past. Trevor, do you want to start off a little bit with some of the history of medical devices and cybersecurity attacks against them?
One thing that is an early-on device attack that has seen a little bit of coverage was actually some concerns that Dick Cheney had around 2007, relating to his pacemaker. He had a lot of concerns that there could be an assassination attempt against him since his pacemaker had a wireless connectivity feature, and he was very concerned that someone could hack into it and try to kill him. Interestingly enough, there was a security researcher who was able to prove that his concerns were founded. They were able to take pacemakers, and as a proof of concept, effectively change the functionality and assassinate someone with a pacemaker. That was one of the original notable events in 2007 where medical device cybersecurity was really coming into play.
That's about 17 years ago; it's pretty amazing. I think a lot of people don't realize implantables such as pacemakers have wireless functionality, and it's typically Bluetooth because they occasionally need a firmware update. You don't want to take it out of the patient every time you want to update it, so you do it with Bluetooth. Often, data is read off of that device, such as diagnostic data or data about the patient, so that's why it has some sort of wireless capability.
Then we've also got hacks with the mysterious guy, Barnaby Jack, kind of a funny name. He hacked an insulin pump and was able to deliver the maximum dose of insulin over and over and over and cause somebody to die. He didn't do it on a real patient, but he did a demonstration at Black Hat, and this was in 2011, only four years later. These insulin pumps, he was able to use a high-power antenna and connect to an insulin pump from a far distance and manipulate it that way.
Barnaby Jack was the same guy who was discovering that pacemaker attack and was able to do the proof of concept as well, isn't that correct? From my understanding, he heard about the threat to Dick Cheney and wanted to validate that that was a legitimate threat. He proved he could do it; he proved he could connect to a pacemaker and shock somebody over and over and over. He likes to use these high-power antennas so he could do it from a distance. A lot of people think Bluetooth means you have to be super close, but I've heard people sniffing and connecting to Bluetooth devices like a mile away if you have a high-power antenna.
Wow, that's really interesting. I know that a lot of times we'll see proximity as a security control around Bluetooth. Someone will say, "Well, there's not really much likelihood of exploitation just due to the fact that Bluetooth is such a close-range communication," but that's not always the case. With specialized equipment, you can attack it from pretty far away.
There's a thing called a blue sniper rifle that is designed to connect to Bluetooth a mile away. It's a very directional antenna; it looks like an actual rifle. You probably shouldn't walk around with it in downtown Phoenix or anything, or New York specifically, or California. But this guy, this researcher, is able to sniff Bluetooth from a mile away and connect to Bluetooth devices. So, proximity is not always a good defense, especially with wireless. We like to use it as a defense, but it's not really, unless you have a Faraday cage or something.
I think Arizona is probably the only place where you can walk around in a major city with a rifle and nobody's going to ask you any questions. That's why I switched it to California or New York, because I was thinking if I walked around with my rifle or even my shotgun, probably nobody's going to say anything. I've seen people in liquor stores with a gun in their holster, and I think, "Man, this is kind of interesting. This guy's in a liquor store; he might have been drinking, and he's got a gun in a holster, you know, outside his waistband carry is not concealed carry but open carry." It's kind of interesting.
Similar to the insulin pump attack that Barnaby Jack discovered, Johnson & Johnson disclosed a vulnerability in 2015 that was essentially a copy of that problem Barnaby Jack had discovered in the past. Attackers could essentially get into the pump without any access controls; they were able to hack into it and then, same thing, crank up the dose to the maximum level and just continually apply maximum dose and essentially cause someone to die as long as they have this insulin pump. This whole thing again was a remote connection. There have been a lot of attacks against these pumps, like insulin pumps.