Kaspersky’s experts discovered that the most common data transfer protocol from wearables used to remotely monitor patients contained 33 vulnerabilities, including 18 “critical vulnerabilities” in mid-2021. These are 10 vulnerabilities more than in 2020, and many of them remain unaddressed, some of these vulnerabilities enable attackers to intercept data sent from the network to the device.
The pandemic has led to a rapid digitalisation of the healthcare sector. As hospitals and healthcare staff are overwhelmed and many people are quarantined at home, organizations have been forced to rethink how patient care is provided. In fact, a recent Kaspersky survey found that 91% of global healthcare providers have implemented telemedicine capabilities. Nevertheless, this rapid digitalisation has created new security risks, especially when it comes to patient data.
Part of telemedicine is also the remote monitoring of patients, which is carried out through the use of so-called wearables and screens. These include gadgets that can constantly or periodically monitor a patient’s health indicators, such as heart activity.
The MQTT protocol is the most common protocol for transmitting data from wearables and sensors, as it is easy to use and convenient. Therefore, it is possible that in addition to wearables it may also be found in almost any smart gadget. Unfortunately, when using MQTT, authentication is perfectly optional and rarely includes encryption. This makes MQTT particularly vulnerable to man-in-the-middle attacks (that is when attackers can find themselves between “two parties” while they communicate), enhancing the potential for data transferred over the internet to be intercepted. When it comes to wearables, this information could include extremely sensitive medical data, personal information, and even a person’s movements.
Since 2014, 90 vulnerabilities have been discovered in MQTT, including critical ones, many of which remain unaddressed to this day. In 2021, there were 33 new vulnerabilities, including 18 critical— 10 more than in 2020. All these vulnerabilities put patients at risk of interception of their data.
Kaspersky researchers identified vulnerabilities not only to the MQTT protocol but also to one of the most popular platforms for wearables: the Qualcomm Snapdragon Wearable platform. More than 400 vulnerabilities have been identified since the launch of this platform, which have not been fixed in their entirety, including some that have been identified since 2020.
It’s worth noting that the majority of wearables track both your health data and location and movements. This, in addition to the margin of data interception, also creates the possibility of stalking.