top of page

Internet of Medical Things (IoMT) - Pentration Testing Check List

Jan 163 min read

Updated: Jan 16

Penetration testing for Internet of Medical Things (IoMT) devices requires a structured and specialized approach to ensure the security of connected healthcare systems.


Below is a step-by-step penetration testing procedure for Internet of Medical Things (IoMT) devices:


Planning & Scoping

It is essential to understand the objective of the test for example testing is going to be conducted for compliance and security assurance.

Stakeholder agreement is essential to obtain approval and defining the scope to include IoMT channel such as device manufacturer and healthcare provider

  • Collect device details such as :

    • Device type and purpose

    • Firmware/software versions

    • Network communication protocols

    • Integration with other systems etc...

Ensure compliance with regulations like HIPAA, FDA guidelines, and similar other requirements. Ensure to obtain explicit approval to perform network discovery, as unauthorized scanning may breach policies or laws (e.g., HIPAA compliance).

Information Gathering

Information gathering consist of :

  1. Passive Reconnaissance:

  2. Active Reconnaissance


Passive Reconnaissance:

  • It includes walkthrough of device architecture, firmware and components

  • Additionally documentation of API structure and

  • Document the devices, protocols (e.g., HL7, DICOM, MQTT), and architecture.

  • Identify the communication channels (e.g., Wi-Fi, BLE, Zigbee).

  • Use tools such as Wireshark or Tcpdump to capture and analyze network traffic

  • Use tools like Shodan or Censys to gather publicly available information about IoMT endpoints.

Active Reconnaissance:

  • Perform network scanning through Nmap, Masscan or Fping to identify active endpoints -- command: "nmap -sn <network-range>

  • Scan open ports to identify services - command : nmap -p- <target-IP> | nmap -sV -p <port-range> <target-IP>

  • Identify service running on discovered ports - command : nmap -sC -sV <target-IP>

  • For protocol specific discovery, use specific tools such as

    • HL7: Use tools like HL7Spy or Wireshark with HL7 dissectors.

    • DICOM: Use DCMTK for querying DICOM endpoints.

    • MQTT: Tools like MQTT Explorer to analyze brokers.

Perform Threat Modeling and Attack Surface Identification

  • Hardware interfaces (e.g., USB, JTAG, UART)

  • Communication protocols (e.g., Bluetooth, Wi-Fi, Zigbee, MQTT)

  • Cloud integrations and APIs

  • Web/mobile applications

Vulnerability Assessment and Validation

Performing a Vulnerability Assessment (VA) for an IoMT (Internet of Medical Things) channel involves systematically identifying and assessing vulnerabilities in the communication and interaction pathways between IoMT devices, networks, and associated systems.

  1. Assess communication channel for weak encryption, unsecured data in transit - use tools such as SSLyze or OpenSSL to assess TLS/SSL configurations.

  2. Assess device interface and verify access controls on administrative interfaces and APIs.

  3. Use vulnerability scanning tool such as OpenVAS, Nessus, or Qualys.

  4. Analyze protocol vulnerabilities:

    • HL7: Inspect for plaintext data transmission.

    • DICOM: Test for unauthorized access to images or metadata.

    • MQTT: Ensure proper authentication and encryption on the broker.

  5. Evaluate firmware and software

    • Outdated firmware with known vulnerabilities.

    • Software using vulnerable libraries.

    • Use vulnerability databases like CVE or tools like OpenVAS.

  6. Assign vulnerability score based on the Common Vulnerability Scoring System (CVSS) and asses risk

  7. Validate Vulnerabilities through attack simulation using tools such as Metasploit and Burp Suite for API and Web Application Testing.

  8. Eliminate False positive to ensure actionable results

Compliance check Documentation

  • Verify the secure boot and tamper protection features align with industry standards such as:

    • IEC 62304: Medical device software lifecycle processes.

    • ISO 13485: Quality management for medical devices.

  • Request and review documentation from manufacturers regarding their secure boot and tamper resistance implementations.


Overall Penetration testing for IoMT (Internet of Medical Things) devices is a critical process that ensures the security, privacy, and safety of connected medical devices, which play a vital role in patient care. The results of such testing directly impact patient safety, healthcare data integrity, and compliance with regulatory standards.













Comentários

bottom of page