Kaspersky Lab experts have investigated an experimental cloud infrastructure for advanced bionic prostheses and have identified security issues that could enable a third party to access, manipulate, steal, or delete the private data of device users. The findings were shared with manufacturer Motorica, a Russian start-up that makes bionic upper limb prostheses to assist people with disabilities, allowing them to address the security issues.
The Internet of Things (IoT) is no longer only about connected watches or smart homes, but about highly complex and increasingly automated ecosystems. This includes connected technologies for healthcare. In the future, such technologies could shift away from being purely support devices, to becoming mainstream and used by consumers keen to extend the capabilities of the human body. Therefore, it is critical that manufacturers investigate and address any existing or potential security risks in current products, as well as their supporting infrastructure.
Kaspersky Lab ICS CERT researchers have undertaken a cybersecurity assessment of a test software solution for a digital prosthetic hand, developed by Motorica. The solution itself is a remote cloud system, providing an interface for monitoring the status of registered biomechanical devices. It also gives other developers an existing toolset for analysis of the technical condition of devices like smart wheelchairs, artificial hands and prosthetic feet.
The initial research identified several security issues in the software. These included an insecure HTTP connection, incorrect account operations, and insufficient input validation.
When in use, the prosthetic hand transmits data to the cloud system. Due to these security gaps, an attacker could:
- Gain access to information held in the cloud about all connected accounts, including logins and passwords in plaintext for all the prosthetic devices and their administrators
- Manipulate, add, or delete such information
- Add or delete their own users, including users with administrator rights
Vladimir Dashchenko, researcher at Kaspersky Lab ICS CERT, said: “Motorica is a high-technology, trusted and socially responsible company, focused on addressing the challenges faced by people with physical impairment. As the company prepares for growth, we wanted to help it ensure the right security measures were in place. The results of our analysis are a good reminder that security needs to be built-in to new technologies from the very start. We hope that other developers of advanced connected devices will want to collaborate with the security industry to understand and address device and system security issues and treat the security of devices as an integral and essential part of development.”
“New technologies are bringing us to a new world in terms of bionic assisting devices,” said Ilya Chekh, CEO at Motorica. “It is now of crucial importance for the developers of such technologies to collaborate with cybersecurity solution vendors. That will allow us to make even theoretical cases of attacks on the human body impossible.”
For manufacturers of bionic devices and other smart technologies, Kaspersky Lab recommends the following security measures:
- Review threat models and vulnerability classifications for relevant web-based and IoT technologies, provided by industry experts, such as OWASP IoT Project.
- Introduce secure software development practices based on lifecycle. To evaluate existing software security practices, use a systematic approach like OWASP OpenSAMM.
- Establish a procedure for obtaining information on relevant threats and vulnerabilities to ensure proper and timely response to any incidents.- Regularly update operating systems, application and device software, and security solutions.
- cybersecurity solutions designed to analyze network traffic, detect and prevent network attacks – at the boundary of the enterprise network and at the boundary of the OT network.
- Use a security solution with machine learning anomaly detection (MLAD) technology to reveal deviations in IoT device behaviour — for early detection of attack, failure or damage of the device.