Presentation by Mike Kijewski, CEO, medcrypt at the Smart Health Conference 2018, held at Bally's Las Vegas on the 26-27th of April, 2018.

1. HACKING A BLUETOOTH-ENABLED
MEDICAL DEVICE IS TOO EASY
Mike Kijewski
mike@medcrypt.co

2. PREDICTION: >50% OF MEDICAL DEVICES
WILL BE INTERNET-ENABLED BY 2030

3. HEALTHCARE IS MOVING TO THE HOME

4. WE ONLY GET PAID IF DEVICES ARE WORKING

5. THERES AN INTERNET GATEWAY
IN YOUR POCKET

7. WE HACKED A DEVICE

8. WE’RE NOT A HEDGE FUND

9. Basestation Cloud AppMeasurement
Device
COMMON AMBULATORY DEVICE ARCHITECTURE
#
Mobile App
BTLE WiFi

10. Basestation
Cloud AppMeasurement
Device
# Mobile App
BTLE WiFi
Measurement device packages data,
broadcasts over BTLE V4.0
COMMON AMBULATORY DEVICE ARCHITECTURE

11. Basestation
Cloud AppMeasurement
Device
# Mobile App
BTLE WiFi
COMMON AMBULATORY DEVICE ARCHITECTURE
Basestation sees advertised data,
interprets measurement, sends to cloud
app.

12. Basestation
Cloud AppMeasurement
Device
# Mobile App
BTLE WiFi
COMMON AMBULATORY DEVICE ARCHITECTURE
Measurement is shown to user via mobile app.

13. Basestation Cloud AppMeasurement
Device
#
Mobile App
BTLE WiFi
Various BTLE
vulnerabilities Lack of encryption /
TLS / data signing
COMMON AMBULATORY DEVICE ARCHITECTURE
#

14. Basestation
Cloud AppMeasurement
Device
# Mobile App
BTLE WiFi
BTLE
Raspberry Pi Raspberry Pi
Measurement
Device
Basestation
ANONYMIZED EXAMPLE HACK

15. ANONYMIZED EXAMPLE HACK
BTLE
Raspberry Pi Raspberry Pi
Measurement
Device
Basestation
Raspberry Pi
Hacker

16. DEMO

18. TECHNICAL REASONS FOR VULNERABILITY
•Bluetooth advertising, not pairing
•Data being sent in plain text
•Bluetooth V4.0 is inherently insecure (key exchange
vulnerability)
•No signing of data

19. TECHNICAL FIXES
•Use BTLE V4.2 Bonding
•Assign unique public/private keys to monitors, basestations
•Encrypt data on monitor before transmit
•Cryptographically sign data on monitor before transmit
•Check data signature at basestation before reporting to cloud
app

20. ORGANIZATIONAL REASONS FOR VULNERABILITY
• Research project becomes prototype, becomes MVP, becomes V1
• Infinite number of feature requests, finite number of engineers
• Need to launch by CES / RSNA / HIMSS / etc.
• “Why would anyone actually want to hack this?”

22. “Not a big deal because it would require
physical proximity.”

24. Security is not a distraction from your
business; it’s imperative for the success of
your business.
Takeaway #1

25. If your device connects to a network, you’re
an internet company.
Takeaway #2

26. Things Internet Companies Do
• Deliver product continuously
• Only build what isn’t available as Open Source
• Scour internet for known vulnerabilities
• Pay hackers via “bug bounties”

27. Takeaway #3:

28. DOESN’T CARE ABOUT
CERTIFICATIONS

29. HOW WE’RE ADDRESSING THIS
•Security software gets “baked in” your device’s software
•Secure communications, instructions between devices
•Monitor device behavior for suspicious behavior
•Features designed specifically to meet FDA guidelines

30. Final Thought:
“Has this ever actually happened?”

32. Questions?
mike@medcrypt.co