Kaspersky Lab experts, investigating the experimental cloud infrastructure for advanced bionic prostheses, have identified several previously unknown security issues that could enable a third party to access, manipulate, steal or even delete the private data and more of device users. The findings were shared with the manufacturer Motorica, a Russian high-technology start-up that develops bionic upper limb prostheses to assist people with disabilities, enabling them to address the security issues.
The Internet of Things is no longer just about connected smart watches or smart homes, but about advanced, complex, increasingly automated ecosystems. These include connected healthcare cyber technologies. In future, such technologies could shift away from being purely support devices to becoming mainstream and used by consumers keen to extend the capabilities of the ordinary human body through a process of cybernetisation. It is therefore important that any security risks that could potentially be exploited by attackers are minimised by investigating and addressing security issues in current products and their supporting infrastructure.
Kaspersky Lab ICS CERT researchers, in partnership with Motorica, have undertaken a cybersecurity assessment of a test software solution for a digital prosthetic hand developed by the Russian start-up. The solution itself is a remote cloud system, an interface for monitoring the status of all registered biomechanical devices. It also gives other developers an existing toolset for analysis of the technical condition of devices like smart wheelchairs, artificial hands and feet.
The initial research identified several security issues. These include insecure http connection, incorrect account operations and insufficient input validation. When in use, the prosthetic hand transmits data to the cloud system. Due to the security gaps, an attacker could:
- Gain access to information held in the cloud about all the connected accounts (including logins and passwords in plaintext for all the prosthetic devices and their administrators)
- Manipulate, add or delete such information
- Add or delete their own regular and privileged users (with administrator rights).
“ Motorica is a high-technology, trusted and socially responsible company, focused on addressing the challenges faced by people with physical impairment. As the company prepares for growth, we wanted to help it ensure the right security measures were in place. The results of our analysis are a good reminder that security needs to be built in to new technologies from the very start. We hope that other developers of advanced connected devices will want to collaborate with the security industry to understand and address device and system security issues and treat the security of devices as an integral and essential part of development,” said Vladimir Dashchenko, security researcher at Kaspersky Lab ICS CERT.
“New technologies are bringing us to a new world in terms of bionic assisting devices. It is now of crucial importance for the developers of such technologies to collaborate with cybersecurity solution vendors. That will allow us to make even theoretical cases of attacks on the human body impossible,” noted Ilya Chekh, CEO at Motorica.
To keep the devices safe, we advise that companies:
- Check out threat models and vulnerability classifications for the relevant web-based and IoT technologies, provided by industry experts, such as OWASP IoT Project.
- Introduce secure software development practices based on the proper lifecycle. To evaluate existing software security practices use a systematic approach — for example, OWASP OpenSAMM.
- Establish a procedure for obtaining information on relevant threats and vulnerabilities to ensure proper and timely response to any incidents.
- Regularly update operating systems, application and device software and security solutions.
- Implement cybersecurity solutions designed to analyse network traffic, detect and prevent network attacks – at the boundary of the enterprise network and at the boundary of the OT network.
- Use a protection solution with machine learning anomaly detection (MLAD) technology to reveal deviations in IoT devices’ behaviour — for early detection of attack, failure or damage of the device.
Read the full version of the report on the Securelist website.
While bionic technologies are developing, it is important to explore what kind of security issues they may contain to solve them properly. For better understanding on what the future can bring us, Kaspesky Lab hosts the Earth 2050 website with collection of futuristic forecasts.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialised security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
About Kaspersky Lab ICS CERT
Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project launched by Kaspersky Lab in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky Lab ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. During its first year of operation, the team identified over 110 critical vulnerabilities in products by major global ICS vendors. Kaspersky Lab ICS CERT is an active member and partner of leading international organisations that develop recommendations on protecting industrial enterprises from cyberthreats. www.ics-cert.kaspersky.com
Motorica focuses on research and development in medicine and robotics. Since 2014, the company has been developing artificial hand systems and rehabilitation with assistive technologies. Motorica challenges outdated ideas about prosthetic care. The team taught prostheses to communicate with the user, go online, perform voice commands, pay for purchases. In 2018, Motorica launched the development of a rehabilitation platform based on virtual reality and a platform for collecting telemetry via gsm-module in prosthetic devices. Nowadays, people with disabilities become the primary users of the cyber technology market and turn weaknesses into strengths. Learn more at global.motorica.org.