Kaspersky finds 33 vulnerabilities in data transfer protocols of wearables

• Kaspersky discovered 33 new data transfer vulnerabilities on healthcare wearable devices in 2021 
• They include 18 critical ones which put patients at risk of having their data stolen
• Kaspersky researchers found vulnerabilities not only in the MQTT protocol but also in one of the most popular wearable device platforms 

When it comes to wearables, the data transfer these devices undergo in order to provide insights to users, is what makes them effective health monitors. Today, wearable devices are able to process data on the device itself to give users the desired analytics in real-time, on whatever they are using their device for.

It’s also important to note that some wearables, especially those for health purposes, go through a stringent data transfer process. The MQTT data transfer protocol normally involves user data being transmitted to the cloud or data center where it is processed, analyzed, and then sent to a medical practitioner for review.

With the rapid digitalization of the healthcare sector, organizations have been relying more on wearable devices for patient care than ever before. These include monitoring pulse rate, blood pressure, even sleep patterns. Some countries have even given users medical armbands or tokens to monitor their movements if they are suspected of having COVID-19, for traceability reasons.

In fact, recent Kaspersky research found that 91% of global healthcare providers have implemented telehealth capabilities. However, this rapid digitalization has created new security risks, especially when it comes to patient data.

Part of telehealth includes remote patient monitoring, which is done using wearable devices and monitors. These include gadgets that can continuously or at intervals track a patient’s health indicators, such as cardiac activity.

Users are made aware that the data transfer from their wearable devices is monitored for medical reasons. And they are also assured that their data is only used for medical monitoring and nothing else.

MQTT Protocol and data transfer

The MQTT protocol is the most common protocol for data transfer from wearable devices and sensors because it’s easy and convenient. It is designed as extremely lightweight ‘publish/subscribe’ messaging that is ideal for connecting remote devices with a small code footprint and minimal network bandwidth.

MQTT can be found not only in wearable devices but also in almost any smart gadget. Unfortunately, when using MQTT, authentication is completely optional and rarely includes encryption.

This makes MQTT highly susceptible to man-in-the-middle attacks (when attackers can place themselves between “two parties” while they communicate), meaning any data transfer over the internet could potentially be intercepted and stolen. When it comes to wearable devices, that information could include highly sensitive medical data, personal information, and even a person’s movements.

According to Kaspersky, 90 vulnerabilities in MQTT have been discovered since 2014, including critical ones — many of which remain unpatched to this day. In 2021, there were 33 newly discovered vulnerabilities, including 18 critical ones — 10 more than in 2020. All of these vulnerabilities put patients at risk of having their data stolen.

Kaspersky researchers found vulnerabilities not only in the MQTT protocol but also in one of the most popular platforms for wearable devices, the Qualcomm Snapdragon Wearable platform. There have been more than 400 vulnerabilities found since the platform was launched; not all have been patched, including some from 2020.

It’s worth noting that most wearable devices track both health data along with location and movements. This opens up the possibility of not just stealing data but also potentially stalking.

“The pandemic has led to a sharp growth in the telehealth market, and this doesn’t just involve communicating with your doctor via video software. We’re talking about a whole range of complex, rapidly evolving technologies and products, including specialized applications, wearable devices, implantable sensors, and cloud-based databases,” commented Maria Namestnikova, Head of the Russian Global Research and Analysis Team (GReAT) at Kaspersky.

“However, many hospitals are still using untested third-party services to store patient data, and vulnerabilities in healthcare wearable devices and sensors remain open,” Namestnikova continued. “Before implementing such devices, learn as much as you can about their level of security to keep the data of your company and your patients safe.”

With the increasing usage of wearable devices, Kaspersky recommends that healthcare providers check the security of the application or device suggested by the hospital or medical organization. They should also minimize the data transferred by telehealth apps if possible and change passwords from default ones and use encryption if the device offers it.