Wearable devices that transmit heartrate and vital-signs data to the Cloud need to know what one cybersecurity firm has just announced.
With a majority of healthcare providers rushing the implementation of telehealth capabilities due to the pandemic, some vulnerabilities have come to light.
Part of telehealth includes remote monitoring of patients via so-called wearable devices and vital-sign monitors. These include gadgets that can continuously (or at intervals) track a patient’s health indicators, such as cardiac activity.
Now, cybersecurity experts from Kaspersky have discovered that the most commonly used protocol for transferring data from wearable devices—MQTT—can contain 33 vulnerabilities, including 19 ‘critical vulnerabilities’ in 2021 alone. This number is more than twice that of critical vulnerabilities found in 2020. Also, many of them remain unpatched, potentially allowing hackers to intercept data being sent from the device to the internet and cloud.
Additionally, researchers have found vulnerabilities not only in the MQTT protocol but also one of the most popular platforms for wearable devices: the Qualcomm Snapdragon Wearable platform. More than 400 vulnerabilities have been found since the platform was launched: not all have been patched, including some dating back to 2020.
Gain your health, lose your wealth?
The vulnerabilities listed above not only put private health data at risk, but also geolocation information that can be used for stalking, phishing, fraud and other cybercriminal exploits. This is because the MQTT protocol is highly susceptible to man-in-the-middle attacks, meaning any data transferred over the internet could potentially be stolen/monitored.
Since 2014, 90 vulnerabilities in MQTT have been discovered, many of which remain unpatched to this day.
According to Maria Namestnikova, Kaspersky Global Research and Analysis Team (Russia): “Many hospitals are still using untested third-party services to store patient data, and vulnerabilities in healthcare wearable devices and sensors remain open. Before implementing such devices, learn as much as you can about their level of security to keep the data of your company and your patients safe.”