Topic 1: Medical Device Cybersecurity Testing (MedBreach) - mshapiro2025/MedBreach-Capstone GitHub Wiki

Capstone Concept

Problem

Medical devices are black boxes to end users when it comes to cybersecurity. People are trusting these devices to keep them alive with no information about their security, which can be a major concern. It has been revealed that there is a surprising lack of security in medical devices, especially older device models(1, 2). This is mostly because they are built with ease of access as the focus rather than security, which is understandable considering that patients and doctors must be able to easily use a device as the patient's life/wellbeing can depend on it. There have been numerous vulnerabilities found in different currently used medical devices, and these vulnerabilities put a lot of people relying on medical devices at risk. People deserve transparency and peace of mind regarding their medical devices’ security. For many people using these devices, they are diagnosed young. Two of our project members were given medical devices at 11 years old. For children and guardians, this is an uncertain time, and they deserve to know that their devices are secure, but these discovered vulnerabilities revoke that trust.

Proposed Solution

We will be testing the hardware and software security of various medical devices for vulnerabilities, which we can then use to propose practical changes for hardening security for current/future medical devices. The changes would make sure that the device would be more secured yet remain easy to use and not interfere with the devices functionality. Each member of the team will analyze a different medical device from varying perspectives in order to cover the full range of research and testing possible. Each device will be researched for potential avenues of exploitation. Then, the device will be dismantled if necessary, and each chip on the PCB will be researched for potential vulnerabilities like UART. Each exploitable chip will be tested according to documented procedures provided by the Leahy Center. All steps taken and results will be documented. After exploitation attempts are complete, the procedure and findings will be written up in a formal report and recommendations for securing the device will be provided.

References

  1. Minimed Hacks

https://nvd.nist.gov/vuln/detail/CVE-2019-10964

  1. Various Medical Device Vulnerabilities

https://www.gao.gov/assets/d24106683.pdf

  1. FDA Guidance on Medical Device Cybersecurity

https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity#safety -4.Legacy Medical Device Cybersecurity - MITRE https://www.mitre.org/sites/default/files/2023-11/PR-23-3695-Managing-Legacy-Medical-Device%20Cybersecurity-Risks.pdf

  1. FDA Rundown of Medical Device Cybersecurity

https://www.fda.gov/consumers/consumer-updates/medical-device-cybersecurity-what-you-need-know

  1. International Medical Device Regulators Forum

https://www.imdrf.org/working-groups/medical-device-cybersecurity-guide

  1. FDA Warns of Bluetooth Low Energy Vulnerability Affecting Connected Medical Devices - MobiHealthNews

https://www.mobihealthnews.com/news/fda-warns-bluetooth-low-energy-vulnerability-affecting-connected-medical-devices

  1. Bluetooth-Related Flaws Threaten Dozens of Medical Devices - Wired

https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/

  1. Hospital Cyber Resiliency Initiative

https://405d.hhs.gov/Documents/405d-hospital-resiliency-analysis.pdf

  1. Cobalt Medical Device Cybersecurity Risk Assessment Overview

https://www.cobalt.io/blog/medical-device-security-risk-assessment

  1. Importance of Security Testing for Medical Devices

https://www.beyondsecurity.com/resources/guides/security-testing-for-networked-medical-devices

  1. Threats Facing Medical Devices and Necessity of Medical Device Cybersecurity Operations

https://www.sensato.co/post/endless-terrifying-possibilities-call-for-a-good-medical-device-cop

  1. Medical Device Vulnerabilities

https://www.informationweek.com/cyber-resilience/the-unique-cyber-vulnerabilities-of-medical-devices#close-modal

  1. FBI Vulnerability Report on Medical Devices

https://www.ic3.gov/Media/News/2022/220912.pdf

Capstone Project

  • Analyze existing medical devices for vulnerabilities and document

Ainsley Smith: OmniPod

Molly Shapiro: MiniMed 530G

Michael Coyne: Philips Intellivue

  • Exploit vulnerabilities and document
  • Propose remediation for vulnerabilities

Scope

MiniMed 530G (Focusing on hardware hacking)

Hardware Dissection: Dismantling device to remove PCBs [DONE]

Chip analysis: Identify all possible microchips on PCBs and research for potential vulnerabilities [DONE]

Perform chip-off analysis of static RAM chip (remove chip, solder chip, pull data from chip using Arduino programming, analyze data) [IN PROGRESS]

Perform analysis of CPU (connect chip to power, test for vulnerable UART output) [IN PROGRESS]

OmniPod Dash (Focusing on Hardware Hacking or Exploiting a Backdoor)

Hardware Dissection: Dismantling device to remove PCBs [Done]

Perform chip-off analysis of any relevant chips and accessing any and all data available [IN PROGRESS]

Perform analysis of CPU [IN PROGRESS]

Attempt to access data by exploiting update vulnerabilities [IN PROGRESS]

Philips Intellivue MP5

Dismantle device to find PCBs [In Progress]

Analysis of CPU [In Progress]

Analysis of software and firmware for vulnerabilities [In Progress]

Attempt further exploitation on any found vulnerabilities [In Progress]