| Title | Security and privacy issues of data-over-sound technologies used in IoT healthcare devices |
| Publication Type | Conference Paper |
| Year of Publication | 2021 |
| Authors | Cilleruelo, Carlos, Junquera-Sánchez, Javier, de-Marcos, Luis, Logghe, Nicolas, Martinez-Herraiz, Jose-Javier |
| Conference Name | 2021 IEEE Globecom Workshops (GC Wkshps) |
| Date Published | dec |
| Keywords | Communication system security, compositionality, data privacy, Data security, Electrocardiography, encryption audits, Hardware, Health devices, Heart, Internet of Things, performance evaluation, Predictive Metrics, Protocols, pubcrawl, Resiliency |
| Abstract | Internet of things (IoT) healthcare devices, like other IoT devices, typically use proprietary protocol communications. Usually, these proprietary protocols are not audited and may present security flaws. Further, new proprietary protocols are desgined in the field of IoT devices, like data-over-sound communications. Data-over-sound is a new method of communication based on audio with increasing popularity due to its low hardware requirements. Only a speaker and a microphone are needed instead of the specific antennas required by Bluetooth or Wi-Fi protocols. In this paper, we analyze, audit and reverse engineer a modern IoT healthcare device used for performing electrocardiograms (ECG). The audited device is currently used in multiple hospitals and allows remote health monitoring of a patient with heart disease. For this auditing, we follow a black-box reverse-engineering approach and used STRIDE threat analysis methodology to assess all possible attacks. Following this methodology, we successfully reverse the proprietary data-over-sound protocol used by the IoT healthcare device and subsequently identified several vulnerabilities associated with the device. These vulnerabilities were analyzed through several experiments to classify and test them. We were able to successfully manipulate ECG results and fake heart illnesses. Furthermore, all attacks identified do not need any patient interaction, being this a transparent process which is difficult to detect. Finally, we suggest several short-term solutions, centred in the device isolation, as well as long-term solutions, centred in involved encryption capabilities. |
| DOI | 10.1109/GCWkshps52748.2021.9682007 |
| Citation Key | cilleruelo_security_2021 |
Security and privacy issues of data-over-sound technologies used in IoT healthcare devices