đď¸ Tamil Mathi
Talk Title: Life on the Line: Breaking into a Medical Device by Exploiting TEE/HSM
Abstract
In this demonstration, I will expose how critical vulnerabilities in a medical IoT device, used in life-critical environments such as ICUs and ORs, can be abused by attackers to compromise patient safety. As medical devices and embedded systems become increasingly vital to patient care, their security is often overlooked.
I will demonstrate how adversaries could exploit weaknesses in cryptographic implementations and flawed trusted application designs within Trusted Execution Environments (TEEs)âwhich are gaining popularity as a low-cost alternative to Hardware Security Modules (HSMs) for critical security operations such as encryption, decryption, signing & verification, and secure storage.
However, when developers rely on TEEs without fully understanding their inner workings and implementation details, it can introduce critical security risks. These gaps can allow attackers to bypass a deviceâs cryptographic protections, exfiltrate sensitive keys, and extract valuable intellectual property (IP), such as an AI-powered algorithm used for patient diagnosis.
Additionally, improper implementation of the deviceâs secure boot process could be abused by attackers to gain full control over the systemâopening the door to unauthorized modifications, disabling of safety mechanisms, or potentially endangering patients relying on the device.
Such attacks can result in the tampering of critical hemodynamic parametersâsuch as blood pressure, cardiac output, or oxygen levelsâleading to inaccurate readings that misguide healthcare professionals. In high-stakes environments like ICUs and ORs, even a slight deviation in these readings can trigger life-threatening complications.
Drawing from my extensive experience in embedded medical device security and IoT systems, I observe that ongoing challengesâsuch as knowledge gaps, complex implementation specifics, and a lack of embedded security best practicesâare consistently leading to vulnerabilities like these. In particular, the improper usage of TEEs for cryptographic storage is emerging as a recurring issue.
This session will not only raise awareness of the growing security risks in IoT and TEE-powered systems but also equip attendees with practical countermeasures to secure devices against such sophisticated and potentially life-threatening attacks.
Bio
Tamil Mathi has over 7 years of industry experience and specializes in securing diverse ecosystems, including IoT, Web, Cloud, and Mobile. A former Synack Red Team member and competitive CTF participant, Tamil thrives in the world of security.
His expertise spans red teaming and secure architecture design. Currently, he is focused on revolutionizing medical device security by designing cutting-edge, robust secure solutions to safeguard critical healthcare technologies.