Digital Medical Device Security Assessments

Lately I’ve been heavily involved in assessments on a couple of different medical devices. I can’t lay down specifics on the types of device or the companies at the moment but you can use your imagine. The devices are of the ‘smart’ genre and the end-user is a patient with health concerns.

These assessments have been really interesting. When we get down to the nitty-gritty, studying the docs with a fine-toothed comb, applying the knowledge we’ve gained from years of mobile app development and hardware curiosity, it’s really satisfying. We’ve done threat modelling exercises and full risk assessments of these devices, discovering issues with things like the proprietary software design approaches and with lack of tamper detection.

One of the most important parts of my work on the initial assessments has been the literature review, especially when FDA regulations are involved. I’ve found the details of exactly what is required to get the products through the FDA approval process.

Of course the initial assessments are succeeded by the BEST part, the penetration test! Pentesting smart medical devices in my experience involves attempts at dumping firmware – usually from Android hardware, sniffing traffic, dumping memory, and lots more exciting stuff. In the future I hope I can do a write-up and a conference talk on something juicy.

If you are developing an IoT device, it doesn’t have to be a medical device, you need a cybersecurity assessment. Threat modelling, full risk assessment, regulatory compliance, and pentest. Drop me an e-mail and let’s talk!

Stay safe during this pandemic. James xx