IoTM Mobile Applications and The Relevance Of Their Security

Carlos Ávila    17 June, 2021
cyber security app iotm

Almost a year ago in the article “Internet of Health I described how incredible is the amount of applications and devices that the medical industry has deployed and will be in the not so distant future being used by all of us. As has happened in other industries, perhaps this is the natural path for technologies and the medical industry to follow, with the aim of improving services and the quality of people’s lives.

With all these changes today, we find a new term known as IoMT or “Internet of Medical Things” which through IoT technologiesInternet of Things” are here to stay. IoMT is where through various sensors that are being embedded in traditional medical devices, combined with other technologies such as Big Data, they collect data that, when extracted and analysed, offer better service to patients and health professionals.

IoMT Mobile Applications And Functionalities

It is well known that hospitals around the world are becoming increasingly equipped with technological systems involving remote patient monitoring, insulin pumps, medication management, etc., all of which are connected to the hospital’s technological infrastructure.  

The idea of IoMT ultimately is to generate an interconnected health ecosystem with all these devices and technology platforms, and this is where mobile applications play a key role.

These mobile applications developed for IoMT are in many cases (directly or indirectly) managing devices and systems of the hospital infrastructure both within hospitals and externally. These applications start to execute actions or make data-driven decisions within a healthcare infrastructure because they will remain connected, for example, to smartwatches, patient wristbands, asthma inhaler monitoring, urology sensors, etc

Certain Findings On IoMT Apps

We have reviewed a few of these IoMT mobile applications from our mASAPP (mobile application continuous security analysis) platforms, as well as with physical devices with a very cursory review. It is important to mention that in any industry, and healthcare is no exception; they must constantly look for flaws, analyse their security and implement new security controls, since technology is continuously changing and so is the way to protect it.

Firstly, I can highlight that there are applications that when registering a user, allow the use of weak passwords without any password strength control. Also, these applications have a common characteristic: no 2FA controls were identified.

image 1: Does not validate key complexity in user registry (e.g., “password”)

Another interesting aspect is that we found easily readable structures between .plist files, which indicates a bad practice in terms of insecure storage of this data or inadequate review prior to uploading the applications to the shops.

image 2: Files with hardcoded data in .plist files
image 3: Hardcoded certificate files in apps

While applications establish secure communication channels (HTTPS) with their backends; we notice that developers often arbitrarily disable security features that strengthen client-side communication channels (App).

This is just a sample of the opportunities for improvement that these applications have. Likewise, we must not forget that many of these applications communicate directly through protocols such as Bluetooth or the internet with IoMT or IoT devices, expanding possible attack vectors for cybercriminals that we must be aware of to investigate and protect.

Challenges And Opportunities For Improvement

There are new challenges and attack vectors for administrators, manufacturers and security researchers alike as we are likely to see many more threats to hospital infrastructures through the IoMT ecosystem with the implementation of IoMT devices and their applications in facilities around the world.

Other issues to address are related to the standardisation of these devices and the communication protocols that are diverse and already implemented in healthcare technology environments. As we have seen with mobile applications focused on these devices, which is already happening and is likely to increase rapidly, so the security challenges in IoMT applicability are challenging and we should start to pay attention to it as a potential risk that attackers want to take full advantage of.

Leave a Reply

Your email address will not be published. Required fields are marked *