The Internet of Things (IoT) cuts a wide swath across the technology landscape. IoT has the potential to radically modify the quality of human life. The dream was articulated as early as 1961 when MIT professor Aaron Fleisher wrote “The Influence of Technology on Urban Forms.”

“The idea that there exists in technology a potential capable of radically modifying the conditions of human existence has made prophecy a matter for general concern,” Fleisher stated. Today, predictions continue to expound on the potential and pitfalls of the IoT.

Health and Fitness Devices Lead to New Risks

Nowhere is this truer than the use of wearable devices in the health and fitness industry — from the simple fitness trackers for health enthusiasts to smart apparel that helps optimize the performance of athletes to health monitors and medical devices designed for personal and clinical use. This next era of interconnected devices has the potential to radically improve human health and fitness.

But the growing list of cybersecurity vulnerabilities in health and fitness devices pose challenging risks to patients whose privacy or health management depends on the proper functioning of these instruments. In June 2015, for example, Computerworld reported that attackers compromised medical devices such as blood gas analyzers with malware to gain access to the hospital networks.

Often, consumers are unaware of the security and privacy risks that many of these devices pose until after an event creates media waves. They expect the developers to build it right and build it secure; they assume the hospitals or doctor’s offices have the proper security controls to maintain the safety and privacy of their information. For the manufacturers of these devices, the concerns are: Will the devices be hacked and forced to perform outside of design specs? Will a virus infect the device and trigger a malfunction, thereby jeopardizing patient health? Will the data they collect about their customers be hacked and exploited by organized cybercrime gangs?

In January 2015, the Federal Trade Commission (FTC) issued guidance on privacy and security protection that should be included with the IoT, including medical devices. Addressing the security and privacy concerns associated with the usage of these devices is the key to unleashing the benefits they offer to society. It also requires a disciplined and structured approach that includes the design and development of these devices, manufacturing in a secure ecosystem and then the deployment and management of these devices, the data they produce and the actions this data drives.

Watch the on-demand webinar to learn more about securing the internet of things

Security and Privacy in Health and Fitness Devices

1. Design

When creating medical devices connected to the IoT, organizations must establish a secure hardware and software development process that includes code management, build management, automated testing, streamlined packaging and software delivery mechanisms. It should include source code analysis to identify vulnerabilities as well as security-related testing to identify runtime vulnerabilities.

Ensure integrity in the manufacturing and delivery of these devices. Establish a trusted ecosystem of suppliers and partners. Each component supplier should adopt secure design and development process to ensure no unintended malware or security bugs enter the supply chain. A trusted supply chain must include a focus on effective management of design, manufacturing, transportation, fulfillment, import and export, intellectual property management, support and maintenance.

Software delivery also applies to device firmware/software updates. As more and more software is running in a wide range of distributed devices, the need to update that software in a secure, timely and cost-effective manner also increases in importance. A secure, verifiable and audited software/firmware update is part of a secure development and deployment process.

2. Deploy

Deploying these devices in a secure way is just as important as their design. Attention should be paid to device provisioning and authentication. The deployment process should cross-authenticate both the device and the network to ensure it does not transmit confidential information to a ghost network. Similarly strong encryption should be deployed to ensure the integrity and privacy of the data on the device, in the cloud or during transmission from device to cloud.

If possible, consumers should be given access and the ability to set up user and usage privileges for their data. For example, they may want to give full viewing rights to their doctors but only reveal a subset of the information to other service providers. They should also be given the option to anonymize their data to further maintain their privacy.

All communications channels should be secured such that sensitive information is protected from observation, change or corruption. Validate input and output parameters to ensure that inadvertent command invocation or escalation of privilege is not possible.

Utilize authentication and authorization for devices, users and applications that will interact with one another as a part of the entire IoT solution. Mobile security factors into this since many of the user interfaces for health and medical applications will be surfaced via mobile devices.

3. Manage

Insert auditing and logging of both successful and unsuccessful requests for processing, and utilize monitoring and alerting technology distributed across the set of computing systems. This implies that there should be some level of audit logging and monitoring devices, networks and the cloud. Also necessary is detection of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against devices and the systems that support them.

Be attentive to availability and safety. Above all else, the system must be engineered to do no harm as a result of its connectedness. A fail-safe operation — dropping down incapability but bringing the system to a safe state — must be built into the connected device.

The future of the health and fitness industry is going to be increasingly intertwined with the growing number of mobile devices connected to the IoT. With proper security, these gadgets can deliver better medical service and reduce the costs of health care, improving quality of life for users. Taking a systemic approach to securing the devices and the data they collect will help keep the criminals at bay and allow society to radically improve its health and fitness.

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…