"The Codenomicon tools are amazing. Using them is like being attacked by the most relentless adversary who uses every possible method to find flaws in your code

We fixed subtle crash bugs in Samba that had been in the code for over ten years. We would never have found those bugs without the Codenomicon tools.

If you're serious about implementing protocols correctly, you need the Codenomicon tools."

-- Jeremy Allison,
Co Creator of Samba

Security Testing for Medical Devices

Introduction | MDISS | Whitepapers

Introduction

The technological development has introduced abundance of sophisticated smart medical devices that communicate wirelessly. There is only one solution to the security and safety threat posed by low quality code: Fuzz Testing. The more critical the solution is for patients health the more rigorous fuzzing is needed.

"A large percentage of medical devices are now connected to the outside world through wireless and fixed data-networks. Until now, there hasn't been a focus on testing these systems thoroughly for threats or vulnerabilities." - Jeff Walker, Codenomicon

Download full whitepaper on this topic:
www.codenomicon.com/resources/whitepapers/Medical-device-fuzzing.pdf

New medical devices communicate wirelessly

The technological development has introduced abundance of sophisticated medical devices that are used for example for diagnosis of a medical condition or monitoring the patient. Millions of people worldwide use personal medical devices that collect data, analyze patient's condition, and administering care. Medical devices improve the quality of treatment, help diagnosis and patient monitoring, and allow some patients to stay home instead of hospital bed thanks to remote monitoring possibility. The data is transmitted wirelessly between the patient and the medical staff, and the devices communicate with each other and network servers via wireless or wired networks quite often using public protocols.

Medical device security challenge

Considering the function of the devices and the nature of data they handle, it is paramount that they are secure and reliable. Patient safety and confidential data integrity are in everyone's best interest, and medical device malfunction can have grave consequences.

Currently the security solutions focus on isolating the medical devices from public networks with firewalls and scanning for malware. However, they solve only a part of the problem. Most of the medical devices use the same exact protocols and software designed for devices that cost fraction of the medical device price and are used for less critical functions. With the software, vulnerabilities are also inherited to the medical world. Threats brought on by bad quality software is something neither medical staff nor patients should need to worry.

Quality through fuzz testing

There is only one solution to the problem of low quality code: testing. The more critical the solution is for patients health the more rigorous testing is needed. This is even more important if the device or equipment utilizes any form of public or semi-public networks that cannot be fully controlled. What is more, the decision to test has to come from developers themselves, it cannot be imposed on them by anyone else.

The most reliable way to find previously unknown, 0-day vulnerabilities in software is fuzz testing. When software is fuzzed during development, vulnerabilities are revealed and can be fixed before deployment. This means safer, more reliable product and less costly and inconvenient patches.

Codenomicon Defensics for medical device fuzzing

Codenomicon Defensics is a model-based, fully automated fuzz testing platform that will improve software quality by finding the vulnerabilities quickly and efficiently and by verifying the fixes during regression testing phase. Cut costs by fixing the vulnerabilities proactively and reducing the number of security patches needed. Develop secure, reliable medical devices that keep the patients safe.