Security and privacy issues of data-over-sound technologies used in IoT healthcare devices | IEEE Conference Publication | IEEE Xplore

Security and privacy issues of data-over-sound technologies used in IoT healthcare devices


Abstract:

Internet of things (IoT) healthcare devices, like other IoT devices, typically use proprietary protocol communications. Usually, these proprietary protocols are not audit...Show More

Abstract:

Internet of things (IoT) healthcare devices, like other IoT devices, typically use proprietary protocol communications. Usually, these proprietary protocols are not audited and may present security flaws. Further, new proprietary protocols are desgined in the field of IoT devices, like data-over-sound communications. Data-over-sound is a new method of communication based on audio with increasing popularity due to its low hardware requirements. Only a speaker and a microphone are needed instead of the specific antennas required by Bluetooth or Wi-Fi protocols. In this paper, we analyze, audit and reverse engineer a modern IoT healthcare device used for performing electrocardiograms (ECG). The audited device is currently used in multiple hospitals and allows remote health monitoring of a patient with heart disease. For this auditing, we follow a black-box reverse-engineering approach and used STRIDE threat analysis methodology to assess all possible attacks. Following this methodology, we successfully reverse the proprietary data-over-sound protocol used by the IoT healthcare device and subsequently identified several vulnerabilities associated with the device. These vulnerabilities were analyzed through several experiments to classify and test them. We were able to successfully manipulate ECG results and fake heart illnesses. Furthermore, all attacks identified do not need any patient interaction, being this a transparent process which is difficult to detect. Finally, we suggest several short-term solutions, centred in the device isolation, as well as long-term solutions, centred in involved encryption capabilities.
Date of Conference: 07-11 December 2021
Date Added to IEEE Xplore: 24 January 2022
ISBN Information:
Conference Location: Madrid, Spain

I. Introduction

Nowadays multiple IoT healthcare devices are being used by hospital staff and patients. Over the years, Implantable Medical Devices (IMDs) and Implantable Cardiac Defibrillators (ICDs) have been adding wireless communication capabilities. But other IoT healthcare device has also been improving their interconnectivity and wireless communications technologies, like insulin pumps or mobile electrocardiographs. The patients can carry these small electrocardiographs where they can perform periodic electrocardiograms (ECGs) that will be sent to their corresponding medical specialist. These novel IoT devices facilitate monitoring and earlier diagnosis of patients, avoiding numerous hospital visits. Similar to other devices in the IoT industry, some of these devices are using proprietary protocols or involve new methods of communications. One of these new emerging communications technologies used for healthcare devices is known as data-over-sound.

Contact IEEE to Subscribe

References

References is not available for this document.