[Virus Vulletin 2019] Medical IoT for diabetes and cybercrime

The medical sector is one of those special domains which particularly deserves our attention. In this talk we focus on diabetes, IoT and cybercrime.

Diabetes is a rather frequent group of disorders: it affects close to 9% of the adult population worldwide. People with diabetes typically have to prick their finger four times a day, get a drop of blood and measure their level of blood glucose. Then, they adjust their treatment (e.g. insulin) based on the results.

This "routine" is tedious, and consequently medical IoT devices that automatically measure blood glucose (i.e. without having to prick your finger) are quite welcome. Those systems are known as Continuous Glucose Monitoring systems (CGM) or Flash Glucose Monitoring (FGM) systems. Note that connected insulin pumps also exist, but perhaps because of obvious health risks, patients usually prefer to stick with connected glucose monitoring systems and inject insulin manually.

Are connected glucose monitoring systems safe in terms of security and privacy? Who would attack a random diabetic patient? What for? Are threats real or overestimated? This is the research we have conducted.

1. We analysed the security of a given FGM system. The design of the device is interesting. It communicates by NFC with the patient's smartphone. We experimented with the system, opened it and reversed it. We had expected horrors - this is unfortunately common with IoT - and were happily surprised to find a decent design. It is not perfect (nothing is), and we'll discuss a few issues ranging from privacy to obsolescence.

2. We identified a couple of diabetic-related malware. We will explain what those do, motivation for attackers and thus, what risks patients face. So far, we haven't uncovered any attempt to directly affect the health of victims, but the samples we found have side-effects on the victim's ability to deal with their diabetes, and this could be dangerous at some point.

3. Finally, we obtained information on the Dark Web. Are records of diabetic patients being traded or sold there? Are targeted attacks on given diabetic patients real or FUD? We have collected some evidence (tradings, experimental treatments) and will explain.

References

https://www.virusbulletin.com