New research released at Mobile World Congress 2019 uncovers
vulnerabilities in software for digital prosthetic hands
BARCELONA, Spain–(BUSINESS WIRE)–lt;a href=”https://twitter.com/hashtag/iot?src=hash” target=”_blank”gt;#iotlt;/agt;–Kaspersky
Lab experts investigating the experimental cloud infrastructure for
advanced bionic prostheses have identified several previously unknown security
issues that could enable a third party to access, manipulate, steal
or delete the private data of device users. The findings were shared
with manufacturer Motorica,
a Russian start-up that makes bionic upper limb prostheses to assist
people with disabilities, allowing them to address the security issues.
The Internet of Things (IoT) is no longer just about connected watches
or smart homes, but about highly complex and increasingly automated
ecosystems. This includes connected technologies for healthcare. In the
future, such technologies could shift away from being purely support
devices, to becoming mainstream and used by consumers keen to extend the
capabilities of the ordinary human body. Therefore, it is critical that
manufacturers investigate and address any existing or potential security
risks in current products, as well as their supporting infrastructure.
Kaspersky Lab ICS CERT researchers have undertaken a cybersecurity
assessment of a test software solution for a digital prosthetic hand,
developed by Motorica. The solution itself is a remote cloud system,
providing an interface for monitoring the status of registered
biomechanical devices. It also gives other developers an existing
toolset for analysis of the technical condition of devices like smart
wheelchairs, artificial hands and prosthetic feet.
The initial research identified several security issues in the software.
These included an insecure http connection, incorrect account operations
and insufficient input validation.
When in use, the prosthetic hand transmits data to the cloud system. Due
to these security gaps, an attacker could:
-
Gain access to information held in the cloud about all connected
accounts, including logins and passwords in plaintext for all the
prosthetic devices and their administrators - Manipulate, add or delete such information
-
Add or delete their own users, including users with administrator
rights
“Motorica is a high-technology, trusted and socially responsible
company, focused on addressing the challenges faced by people with
physical impairment,” said Vladimir Dashchenko, security researcher at
Kaspersky Lab ICS CERT. “As the company prepares for growth, we wanted
to help it ensure the right security measures were in place. The results
of our analysis are a good reminder that security needs to be built in
to new technologies from the very start. We hope that other developers
of advanced connected devices will want to collaborate with the security
industry to understand and address device and system security issues and
treat the security of devices as an integral and essential part of
development.”
“New technologies are bringing us to a new world in terms of bionic
assisting devices,” said Ilya Chekh, CEO at Motorica. “It is now of
crucial importance for the developers of such technologies to
collaborate with cybersecurity solution vendors. That will allow us to
make even theoretical cases of attacks on the human body impossible.”
For manufacturers of bionic devices and other smart technologies,
Kaspersky Lab recommends the following security measures:
-
Review threat models and vulnerability classifications for relevant
web-based and IoT technologies, provided by industry experts, such as OWASP
IoT Project. -
Introduce secure software development practices based on the proper
lifecycle. To evaluate existing software security practices, use a
systematic approach like OWASP
OpenSAMM. -
Establish a procedure for obtaining information on relevant threats
and vulnerabilities to ensure proper and timely response to any
incidents. -
Regularly update operating systems, application and device software
and security solutions. -
Implement cybersecurity solutions designed to analyze network traffic,
detect and prevent network attacks – at the boundary of the enterprise
network and at the boundary of the OT network. -
Use a security solution with machine
learning anomaly detection (MLAD) technology to reveal deviations
in IoT devices’ behavior — for early detection of attack, failure or
damage of the device.
The full version of the report is available on Securelist.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been
operating in the market for over 21 years. Kaspersky Lab’s deep threat
intelligence and security expertise is constantly transforming into next
generation security solutions and services to protect businesses,
critical infrastructure, governments and consumers around the globe. The
company’s comprehensive security portfolio includes leading endpoint
protection and a number of specialized security solutions and services
to fight sophisticated and evolving digital threats. Over 400 million
users are protected by Kaspersky Lab technologies and we help 270,000
corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
About Motorica
Motorica focuses on research and development in medicine and robotics.
Since 2014, the company has been developing artificial hand systems and
rehabilitation with assistive technologies. Motorica challenges outdated
ideas about prosthetic care. The team taught prostheses to communicate
with the user, go online, perform voice commands, pay for purchases. In
2018, Motorica launched the development of a rehabilitation platform
based on virtual reality and a platform for collecting telemetry via
gsm-module in prosthetic devices. Nowadays, people with disabilities
become the primary users of the cyber technology market and turn
weaknesses into strengths. Learn more at global.motorica.org.
Contacts
Meghan Rimol
781.503.2671
meghan.rimol@kaspersky.com