Vulnerabilities on battery units for medical devices could allow for network access, DoS, and man-in-the-middle attacks, highlighting IoT security issues and the need to properly decommission equipment.
This sub-headline made me rub my eyes in disbelief as if I’d seen a unicorn because that’s how rarely I ever see a cybersecurity firm publishing content on data security for retired IT assets.
The firm describes the threat:
♦️ The battery units store Wi-Fi credential information on the device in non-volatile memory (NVM).
♦️ Discarded or resold batteries could be acquired in order to harvest Wi-Fi credentials from the original organization if that organization hadn’t been careful about wiping the batteries clean before getting rid of them.
♦️ The remediation for the vulnerability is to carefully purge Wi-Fi information by connecting the vulnerable batteries to a unit with invalid or blank data before reselling or otherwise disposing of the devices.
♦️ Tod Beardsley, Rapid7‘s director of research, said that the finding emphasizes the importance of properly decommissioning equipment that could hold sensitive data, and that network managers have to be aware of the potential threat posed by vulnerable IoT devices.
♦️ “Due diligence is necessary to ensure that IoT devices do not contain extractable sensitive information when they are discontinued within a particular organization,” he said.
I’m not a storage engineer, and I’ve not worked with these devices, but my limited understanding of overwriting drives during the IT Asset Disposition process from my 3 years working with NextUse, a leader in ITAD data security, leads me to believe that the remediation recommendation might be inadequate, that it assumes that the new invalid or blank data completely overwrites the old relevant data, which is unlikely unless the NVM storage component has exactly the amount of storage capacity needed just to hold the wi-fi data, or the data can only be written to the same sectors on the NVM, and that if less data is provided than is already being stored, the entirety of the old data is automatically overwritten with “junk data” like 1s or 0s, as needed.
If the new data is simply written in addition to the old data, and the Master File Table (MFT)/File Allocation Table (FAT) table now just points to the new data, the old data is still retrievable via commercially available forensics software, much like how reformatting a hard drive or solid-state drive simply hides the data on the drive from an Operating System (OS) but does not overwrite it, which is the only way to make the data irretrievable short of physically destroying the storage component, shredding down to a few millimeters in the case of SSDs/NVMs.
Because cybersecurity for most IoT devices seems to be an afterthought, this is just one of several security vulnerabilities for the device outlined in the article.
