18. TECHNICAL REASONS FOR VULNERABILITY
•Bluetooth advertising, not pairing
•Data being sent in plain text
•Bluetooth V4.0 is inherently insecure (key exchange
vulnerability)
•No signing of data
19. TECHNICAL FIXES
•Use BTLE V4.2 Bonding
•Assign unique public/private keys to monitors, basestations
•Encrypt data on monitor before transmit
•Cryptographically sign data on monitor before transmit
•Check data signature at basestation before reporting to cloud
app
20. ORGANIZATIONAL REASONS FOR VULNERABILITY
• Research project becomes prototype, becomes MVP, becomes V1
• Infinite number of feature requests, finite number of engineers
• Need to launch by CES / RSNA / HIMSS / etc.
• “Why would anyone actually want to hack this?”
21.
22. “Not a big deal because it would require
physical proximity.”
23.
24. Security is not a distraction from your
business; it’s imperative for the success of
your business.
Takeaway #1
25. If your device connects to a network, you’re
an internet company.
Takeaway #2
26. Things Internet Companies Do
• Deliver product continuously
• Only build what isn’t available as Open Source
• Scour internet for known vulnerabilities
• Pay hackers via “bug bounties”
29. HOW WE’RE ADDRESSING THIS
•Security software gets “baked in” your device’s software
•Secure communications, instructions between devices
•Monitor device behavior for suspicious behavior
•Features designed specifically to meet FDA guidelines