In this article we discuss problems in IoT systems that can have major consequences using the Philips e-Alert system as an example.
The Internet-of-Things lends itself well to the health sector. In many sectors, the value proposition of introducing IoT products is unclear. And, as discussed in our article 3 Elements of IoT Success in 2019, having a clearly defined value proposition is a requirement of a successful IoT product. However, in the health sector, it is usually very clear what the advantages are. For example, being able to detect critical issues before they occur and being able to monitor heart rate at all times to ensure a heart health are some prime examples of the potential benefits of IoT.
This is what makes health related IoT products so compelling. However, like most things, there is no pro without some form of con. Philips' e-Alert system is a great example of this.
The Philips e-Alert system is "an intelligent hardware- or software-based tool that keeps a close virtual eye on your MRI system performance" (source). In other words, it is an IoT product that enables remote monitoring of an MRI system. The idea being, potential future issues could be avoided by detecting some system condition and notifying a system manager via mobile notification. The value proposition is very clear - reduce downtime of MRI systems. The value was so clear that this system won the “Most Innovative IoT Solution” at the World Communication Awards in 2017 (source).
So where exactly are the problems? Like many IoT systems they reside in the implementation.
On August 30 2018 the ICS-CERT released an advisory describing a large list of vulnerabilities found in the Philips e-Alert product (source). As the advisory outlines, there were nine major flaws found in the system. These flaws range in severity but "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION" and "USE OF HARD-CODED CREDENTIALS" are likely the most critical ones (source).
The consequences of these vulnerabilities is up to speculation. The "CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION" issue for example, might enable attackers on the network to obtain the credentials and critical data of users of the system. This could allow the attacker to impersonate an authorized user of the system.
Another concerning issue is the "UNCONTROLLED RESOURCE CONSUMPTION" vulnerability. An attacker could potentially affect the e-Alert system in specific a way causing the system to consume more memory or CPU than intended, leading to a denial of service attack. A denial of service in terms of a health system could be the difference between life or death - in this case, it would mean the difference between a functioning MRI machine and a non-functioning MRI machine.
As of September 2018, Philips has addressed four of these vulnerabilities, in an update released in June 2018. The "UNCONTROLLED RESOURCE CONSUMPTION" vulnerability is still present in the system. They plan on fixing the remaining vulnerabilities before the end of 2018 via a software update.
As of September 2018 here are no known public exploits, that attack these vulnerabilities (source). It is likely that Philips would have addressed these concerns more promptly if there were exploits.
Additionally, Philips is actively working on communicating with users to provide methods to reduce the consequences of these vulnerabilities.
A few things can be learned from this interesting IoT case study. For one, award winning IoT systems from large companies can have MAJOR vulnerabilities. Aspects such as encrypted transmission of data can not be expected by default. Secondly, critical bug fixes might take longer than expected. Philips has only addressed four of these nine vulnerabilities as of September 2018, however they are actively working to remedy these. Thirdly, providing mitigation methods to effected users and releasing public statements regarding the issues will help decrease loss of trust in a situation like this. Finally, the increasing importance of organizations like the ICS-CERT with the future of IoT is clearly visible here. Since Philips addressed the four biggest vulnerabilities before the release of the advisory, it is clear that they were aware of these issues. However, it is not clear if they were aware of the other issues mentioned in the advisory.
As a extension of this, it is important to realize that Philips is a very large company. If these problems exist in a Philips system, what types of problems exist in smaller companies' products?