eBay: a hacker's source for acquiring remote monitoring medical devices for security testing?

Tuesday, April 13, 2010

shawn merdinger

E376ca757c1ebdfbca96615bf71247bb

I typically check eBay weekly for medical devices showing up, with an eye for anything with a network interface.

Bluetooth-enabled devices abound, but the (mis-perception) that an attacker must be physically close decreases popular interest from a security testing perspective. In contrast, it's a box "on the wire" that enables an attacker in say, Palau, to to reach out and provide what I'd call a "negative home medical monitoring experience." 

So what's on eBay? 

Here's a ViTel (now owned by Bosch) device and blood pressure monitor on eBay that's a few years old, but has the ability "...to communicate via standard telephone line, broadband, or cellular and does not interfere with existing telephone service." 

ViTel Net Turtle 400 & A&D UA-767PC Blood Pres. Monitor 
eBay Link: http://tinyurl.com/yytwgma 

Suggested for discussion: 

1. Should vendors of these devices be concerned about their sale on site like eBay? Why or why not? 

2. Are there any available business services that monitor the after-market sale of these devices? 

3. Would/should vendors care about re-acquiring these devices? 

4. How interesting / valuable would it be to conduct a security analysis on this device, report the findings to CERT, and publish at DefCon or BlackHat? 

12283
General Enterprise Security
ebay
Post Rating I Like this!
0959a7ebfae15af185490b3a2c849c68
g b Good point and certainly a concern.

1. Should vendors of these devices be concerned about their sale on site like eBay? Why or why not?
Yes, I believe that the possibility of compromise to their device/s should be addressed to ensure secure patient care. What if their device is available for malicious research and is compromised? This would enable an attacker to put lives at risk. Granted this is just a blood pressure monitor but where does it stop? What if this device was connected to a larger network where other devices like life support type devices reside? The attacker could compromise the weakest link (i.e. CAT I or the most common CAT II FDA devices) to gain access to more important devices.
2. Are there any available business services that monitor the after-market sale of these devices?
I’m not sure of any available business services that monitor after-market sales but I believe that the companies should practice their due diligence with whom and for what purpose these sales are conducted.
3. Would/should vendors care about re-acquiring these devices?
I believe that a required process should be in place in order to alleviate any potential compromise.
4. How interesting / valuable would it be to conduct a security analysis on this device, report the findings to CERT, and publish at DefCon or BlackHat?
Extremely valuable. Correct me if I’m wrong but I believe the only “medical” brief I saw during BlackHat 2011 was that of a guy who hacked his own insulin pump. The medical industry does not highlight these issues enough and should be attending these conferences to get the word out.
1325621181
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.