The MQTT protocol, widely used for transferring data from wearable devices, contains 33 vulnerabilities, including 19 critical vulnerabilities found in 2021.
This was revealed by Kaspersky researchers, who said some of these vulnerabilities give bad actors the ability to intercept data being sent online from the device.
The MQTT protocol is easy and convenient, which is why it can be found in almost all smart gadgets and in wearable devices, including those used for patient monitoring.
Healthcare digitisation
“The ongoing pandemic has led to a rapid digitalisation of the healthcare sector. With hospitals and healthcare staff overwhelmed, and many people quarantined at home, organisations have been forced to rethink how patient care is delivered,” according to Kaspersky.
Recent research by the company revealed that 91% of global healthcare providers have implemented tele-health capabilities, and this rapid digitalisation has brought with it a slew of new security risks, particularly in terms of patient data.
Part of tele-health includes remote patient monitoring, which is done using wearable devices, monitors and gadgets that can continuously or at intervals track a patient's health indicators, such as cardiac activity.
Convenient, not safe
When using MQTT, authentication is optional and rarely includes encryption, Kaspersky explains. This makes it susceptible to man-in-the-middle attacks, meaning any data transferred over the Internet could be stolen.
“When it comes to wearable devices, that information could include highly sensitive medical data,” the company says.
Since 2014, 90 vulnerabilities in MQTT have been discovered, many of which remain unpatched even today. Last year, there were 33 newly discovered vulnerabilities, including 18 critical ones, 10 more than the year before.
“All of these vulnerabilities put patients at risk of having their data stolen,” Kaspersky says.
Researchers found vulnerabilities not only in the MQTT protocol but also one of the most popular platforms for wearable devices – the Qualcomm Snapdragon Wear platform. In fact, more than 400 vulnerabilities have been found since the platform was introduced, and not all have been patched, including some from two years back.
Stealing and stalking
Kaspersky says it’s worth noting that most wearable devices track both health data and location and movements, opening up the possibility of not just stealing data but stalking, too.
Maria Namestnikova, head of the Russian Global Research and Analysis Team (GReAT) at Kaspersky, says the pandemic led to a sharp growth in the tele-health market, which involves a range of complex, rapidly evolving technologies and products, including specialised applications, wearable devices, implantable sensors, and cloud-based databases.
“However, many hospitals are still using untested third-party services to store patient data, and vulnerabilities in healthcare wearable devices and sensors remain open. Before implementing such devices, learn as much as you can about their level of security to keep the data of your company and your patients safe,” she adds.
Minimise data transfer
To keep patient data safe, Kaspersky recommends that healthcare providers check the security of the application or device suggested by the hospital or medical organisation, and minimise the data transferred by tele-health apps if possible.
Last but not least, the company advises to change passwords from default ones and use encryption if the device offers this.
Share