Case Study · IoT & Hardware Security Testing
Critical Vulnerabilities in a Connected Medical Device — Firmware Extraction, BLE Command Injection, False Glucose Readings
Home → Case Studies → IoT & Hardware Security Testing → Critical Vulnerabilities in a Connected Medical Device — Firmware Extraction, BLE Command Injection, False Glucose Readings
Engagement Background
The Situation When We Were Engaged
An Indian medical device startup developing a connected continuous glucose monitor (CGM) for diabetic patients engaged SIRI Law LLP prior to FDA 510(k) and CDSCO submissions. The device transmitted readings via Bluetooth Low Energy to a companion app.
A U.S. hospital system’s procurement policy required independent IoT security assessment before formulary evaluation. Without it, the deal — and potentially all U.S. market entry — was blocked.
SIRI Law LLP extracted the complete firmware via UART debug interface in 45 minutes, discovered hardcoded credentials shared across all devices, and demonstrated BLE command injection enabling false glucose readings — a direct patient safety risk. The cloud backend API had no device authentication, meaning any party knowing a device ID could submit false readings remotely.
All five critical vulnerabilities were remediated before FDA 510(k) submission.
Client Profile
Attack Scenario & Methodology
How the Assessment Was Conducted
Testing Methodology
Full hardware and firmware security assessment: 5 production-equivalent devices. 2 used for destructive testing. Tools: Bus Pirate (UART/SPI/I2C), J-Link (JTAG), Binwalk (firmware extraction), Ghidra (reverse engineering — no source code provided), GATTacker (BLE MitM), Frida (mobile app dynamic analysis), Burp Suite (cloud API).
OWASP IoT Attack Surface Areas methodology. Assessment covered: physical interfaces, firmware, BLE protocol, iOS/Android companion app, cloud backend API, device provisioning process, OTA update mechanism.
Technical Findings
What We Found
Each finding documented with proof-of-concept. Root cause and remediation guidance provided for every item.
UART interface on accessible test points exposed root shell. Firmware extracted in 45 minutes. Analysis found: hardcoded MQTT broker password (shared across all devices — access to all patient readings), hardcoded engineering WiFi password, device provisioning API key. CVSS 9.8.
‘Just Works’ BLE pairing with no MitM protection. Custom GATT calibration command accepted from any paired device. Attacker within 30m BLE range could inject calibration offsets — causing 5.5 mmol/L to appear as 12.0 (false hyperglycaemia triggering unnecessary insulin) or 2.5 (false hypoglycaemia). Direct patient safety risk. CVSS 9.4.
Device IDs were sequential integers. Any client knowing a device ID could query all glucose readings or submit false readings — without physical BLE proximity. Remote false reading injection at internet scale. CVSS 9.1.
Firmware downloaded from S3 URL without cryptographic signature verification. Compromised cloud backend or DNS poisoning → malicious firmware installed. No secure boot chain. CVSS 8.6.
JTAG fuse not blown — full debug access to MCU in production units. Combined with UART: two routes to complete device compromise. CVSS 7.8 (physical access required).
Engagement Timeline
Phase-by-Phase Execution
Physical Interface Reconnaissance
Bus Pirate connected to UART test points. Root shell achieved. Firmware extraction begun.
Firmware Static Analysis
Binwalk extraction + Ghidra reverse engineering. 3 hardcoded credentials identified. MQTT broker password confirmed to give access to all device telemetry.
BLE Protocol Analysis
GATTacker MitM proxy: captured BLE traffic. GATT service analysed. Calibration command injection demonstrated — false reading confirmed on device display and companion app.
Cloud Backend API Testing
Sequential device IDs confirmed via enumeration. Unauthenticated reads and writes to any device’s data confirmed. SSRF and injection testing of cloud endpoints.
Mobile App + Reporting
Frida dynamic analysis of iOS/Android apps. Certificate pinning bypass on jailbroken devices. Full report delivered. Remediation roadmap provided for FDA submission timeline.
Legal & Regulatory Risk Analysis
Why This Mattered Legally
SIRI Law LLP’s integrated practice means every technical finding is analysed for its legal and regulatory implications — providing a complete risk picture, not just a vulnerability list.
FDA Cybersecurity in Medical Devices (2023)
Hardcoded credentials (CRIT-001), BLE unauthenticated commands (CRIT-002), and unsigned firmware (CRIT-004) would cause 510(k) rejection requiring resubmission. 6–12 month U.S. market entry delay.
Patient Safety Liability
BLE false reading injection (CRIT-002) could cause fatal hypoglycaemia (false low reading delaying treatment) or dangerous insulin over-administration (false high reading). Consumer Protection Act 2019 product liability.
HIPAA — Business Associate
U.S. hospital customers are Covered Entities. The startup is a Business Associate. CRIT-001 (shared MQTT password) and CRIT-003 (unauthenticated API) constituted HIPAA Security Rule violations.
DPDPA 2023
Glucose readings = sensitive health data. Unauthenticated API access to all patient readings. DPDPA Section 8(4) failure.
Remediation Programme
How We Fixed It
✦Firmware & Hardware
UART and JTAG disabled in production firmware build + JTAG fuse blown in programming script.
All hardcoded credentials eliminated — per-device secrets provisioned during manufacturing via secure provisioning server.
ECDSA-P256 firmware signing implemented — invalid signatures rejected by bootloader.
Microchip ATECC608 secure element added to hardware design for key storage.
✦BLE & Communication
BLE pairing migrated to Numeric Comparison mode — eliminates Just Works MitM vulnerability.
HMAC-SHA256 session-authenticated commands — unsigned commands rejected.
MQTT: per-device TLS client certificates replacing shared hardcoded password.
✦Cloud & Mobile
Device authentication: mutual TLS with per-device certificates — API requires client cert, issued during manufacturing.
Sequential device IDs replaced with UUIDs.
Certificate pinning on iOS and Android apps.
SQLite encryption for local health data on mobile device.
Business Outcomes
What the Client Achieved
FDA 510(k) Cybersecurity Section Supported
SIRI Law LLP assessment report included as primary cybersecurity evidence in 510(k) submission — accepted by FDA.
Patient Safety Risk Eliminated
BLE false reading injection and remote false reading submission both closed before any patient device use.
U.S. Hospital Procurement Evaluation Initiated
Hospital system procurement requirement satisfied — formulary evaluation commenced.
HIPAA Compliance Achieved
HIPAA Security Rule gap remediated — mutual TLS device auth, encrypted storage, BAAs executed with hospital customers.
Compliance Frameworks
Standards Applied in This Engagement
Why Choose SIRI Law LLP
Unique Advantage
Qualified advocates — legally privileged investigations
Certified security engineers — OSCP, CISSP, CEPT, CEH
DPDPA + CERT-In compliance integrated into every engagement
24/7 incident response availability
Director GRC & Legal at COE Security — Adv. Chetan Seripally
Related Services
Facing a Similar Security Challenge?
Contact SIRI Law LLP for a confidential scoping call with our legal and technical experts.