SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Kaspersky uncovers multiple vulnerabilities in wearable tracking technology
Thu, 3rd Feb 2022
FYI, this story is more than a year old

Kaspersky researchers have found 33 vulnerabilities in the most commonly used protocol for transferring data from wearable devices worn by patients for remote monitoring; this was in 2021 alone and included 18 'critical' vulnerabilities.

The security experts from global cybersecurity and privacy company Kaspersky found 10 more critical vulnerabilities than the previous year, many of which remain unpatched. The researchers say this allows attackers to intercept patient data.

Telehealth is digital information and communication technologies, such as computers and mobile devices, used to access health care services remotely. These include remote patient monitoring, which is done using wearable devices and monitors. Such devices can continuously or at intervals track a patient's health indicators, such as breathing and cardiac activity.

The most common protocol used to transmit data from wearable devices and sensors is the MQTT protocol because it's easy and convenient. But Kaspersky researchers say authentication is completely optional when using MQTT and rarely includes encryption. And this makes MQTT highly susceptible to 'man in the middle' attacks - when attacks can place themselves between 'two parties' while they communicate.

Any data transferred over the internet could potentially be stolen. When it comes to wearable devices, that information could include highly sensitive medical data, personal information, and even people's movements. Most wearable devices track your health data and your location and movements, opening up the possibility of not just stealing data, but also potentially stalking.

"Telehealth doesn't just involve communicating with your doctor via video software," says Maria Namestnikova from Kaspersky Global Research and Analysis Team (GReAT).

"We're talking about a whole range of complex, rapidly evolving technologies and products, including specialised applications, wearable devices, implantable sensors and cloud-based databases.

"However, many hospitals are still using untested third-party services to store patient data, and vulnerabilities in healthcare wearable devices and sensors remain open. Before implementing such devices, learn as much as you can about their level of security to keep the data of your company and your patients safe."

Kaspersky researchers found vulnerabilities in the MQTT protocol and one of the most popular platforms for wearable devices: the Qualcomm Snapdragon Wearable platform. There have been more than 400 vulnerabilities found since the platform was launched, and not all have been patched, including some from 2020.

Kaspersky recommends that healthcare providers:

  • Check the security of the application or device suggested by the hospital or medical organisation.
  • Before transferring personal data to any telehealth service, try to determine how this data will be stored and who will have access to it. Try not to use services that do not care about data safety.
  • Minimise the data transferred by telehealth apps if possible (e.g. don't let the device send the location data if it's not needed).
  • Change passwords from default ones and use encryption if the device offers this – no matter how securely the service stores data, a simple password can allow an attacker to gain access to it.
  • Never click on links in emails from strangers, even if the topic is engaging. If you get an unexpected notification from a telehealth service, always open the application itself rather than click on a link in an email.