eBay: a hacker’s source for acquiring remote monitoring medical devices for security testing?


Awhile back I blogged on VOIPSA about medical devices using VoIP. This is a follow-up to that post, and is a bit more tangible in that these devices are showing up on the auction sites.

I typically check eBay weekly for medical devices showing up, with an eye for anything with a network interface.

Bluetooth-enabled devices abound, but the (mis-perception) that an attacker must be physically close decreases popular interest from a security testing perspective. In contrast, it’s a box “on the wire” that enables an attacker in say, Palau, to to reach out and provide what I’d call a “negative home medical monitoring experience.”

So what’s on eBay?

Here’s a ViTel (now owned by Bosch) device and blood pressure monitor on eBay that’s a few years old, but has the ability “…to communicate via standard telephone line, broadband, or cellular and does not interfere with existing telephone service.”

ViTel Net Turtle 400 & A&D UA-767PC Blood Pres. Monitor
eBay Link: http://tinyurl.com/yytwgma

Suggested for discussion:

1. Should vendors of these devices be concerned about their sale on site like eBay? Why or why not?

2. Are there any available business services that monitor the after-market sale of these devices?

3. Would/should vendors care about re-acquiring these devices?

4. How interesting / valuable would it be to conduct a security analysis on this device, report the findings to CERT, and publish at DefCon or BlackHat?

5. Does a diagram like the one below concern anyone?