When you think of security flaws and vulnerabilities, PC operating systems, mobile devices, malware, and software bugs might come to mind -- rather than bionic hands. Researchers have now shown that we need to expand our security horizons to include modern prosthetics.
It was back in 2017 that the concept of vulnerabilities reaching beyond PCs to directly impact our health was highlighted, after close to half a million pacemakers were "recalled" by the US Food and Drug Administration (FDA) due to ingrained bugs in the firmware of the vital medical equipment.
St. Jude's pacemakers had to be recalled on a "voluntary" basis, however, as applying the firmware update to the devices -- which are crucial to assist ailing heart muscles -- came with its own risks and the possibility of causing the pacemakers to fail.
As our technological expertise grows, more and more medical devices are being connected to the Web and cloud systems to increase their performance and functionality. It is now not only pacemakers which may be at risk of exploit but any medical system which has poor security hygiene, whether this is a syringe pump, drug dispenser, or hospital equipment.
Now, two years later, it seems that advanced, smart prosthetics are also on the radar.
The Russia startup is the brainchild of CanTouch co-founder Ilya Chekh and Vasily Khlebnikov, launching five years ago in order to develop prosthetic hands for both children and adults who often have to rely on purely cosmetic limbs due to cost.
According to Motorica, the bionic hands -- 3D-printed with plastic, metal, and composites -- can be manufactured to contain a range of smart features, including an inbuilt display, an NFC chip for contactless payments, a GSM module, activity tracking, and smartwatch functionality.
In order to provide these features, access to the cloud is paramount, and it is this connection to an online system which has paved the way for potential attacks against prosthetics users.
Kaspersky investigated the security posture of the software solution designed to control and monitor one of the Motorica prosthetic hands. Described as an "experimental" remote cloud system, the software is used to monitor registered prosthetic devices but is also used by developers of smart wheelchairs and other prosthetics such as feet.
The cybersecurity research team found a range of zero-day vulnerabilities in the system which could "enable a third party to access, manipulate, steal or delete the private data of device users," according to the firm.
The vulnerabilities included an insecure HTTP connection, incorrect account operations, and insufficient input validation, all of which could be used by attackers to exploit the moment a prosthetic hand transmitted data to the cloud.
Kaspersky says that the bugs were severe enough to permit unauthorized access to cloud storage, revealing the data held concerning all of the connected prosthetics and accounts -- as well as permission to edit, delete, or change this information as hackers saw fit.
Login credentials and passwords were also stored in plaintext without any form of encryption, and attackers were also able to add or delete their own users with levels of authority up to administrator status, attack Motorica's internal infrastructure, or perform NoSQL injection attacks.
The findings were shared with Motorica which worked with Kaspersky on the issues.
TechRepublic: 5 ways to avoid top malware threats
"New technologies are bringing us to a new world in terms of bionic assisting devices," said Chekh. "It is now of crucial importance for the developers of such technologies to collaborate with cybersecurity solution vendors. That will allow us to make even theoretical cases of attacks on the human body impossible."
Medical devices are no longer basic; they can be highly complex systems which rely on cloud technology, sensors, and automation in order to perform effectively. Even though such attackers are mainly theoretical at present, this is no excuse for cybersecurity to not be involved in the product development lifecycle -- especially as such attacks, if launched, have the potential to severely impact users' lives.
"The results of our analysis are a good reminder that security needs to be built into new technologies from the very start," said Vladimir Dashchenko, security researcher at Kaspersky Lab. "We hope that other developers of advanced connected devices will want to collaborate with the security industry to understand and address device and system security issues and treat the security of devices as an integral and essential part of development."