EXECUTIVE SUMMARY:

Industry researchers identified a vulnerability in the RSA keys and certificates of certain IoT devices –including medical devices and implants- that leave the devices exposed to cyber risk.

The RSA certificates are created by generating random prime numbers that are then used to transfer data to a remote source, allowing the remote source to decrypt the data with a private key. RSA security is based upon the inability of a public key to derive the two prime numbers generated. In order to determine the probability of these prime factors being discovered, Keyfactor generated a database containing 75 million active RSA keys and 100 million certificates. Their analysis of the database found a vulnerability that would lead to the compromise of one out of 172 active RSA certificates.

This vulnerability could allow hackers to compromise a given device and its data with minimal computing resources. A senior industry professional warned that that “the connecting user or device cannot distinguish the attacker from the legitimate certificate holder, opening the door to critical device malfunction or exposure of sensitive data.” One survey showed that 82% of healthcare organizations’ IoT devices had been targets of cyber attacks within the last year. The healthcare industry remains a big and vulnerable target for hackers.

To learn more about healthcare cyber security and the RSA keys found in IoT medical devices, please see this Health IT Security article.