I typically check eBay weekly for medical devices showing up, with an eye for anything with a network interface.
Bluetooth-enabled devices abound, but the (mis-perception) that an attacker must be physically close decreases popular interest from a security testing perspective. In contrast, it’s a box “on the wire” that enables an attacker in say, Palau, to to reach out and provide what I’d call a “negative home medical monitoring experience.”
So what’s on eBay?
Here’s a ViTel (now owned by Bosch) device and blood pressure monitor on eBay that’s a few years old, but has the ability “…to communicate via standard telephone line, broadband, or cellular and does not interfere with existing telephone service.”
ViTel Net Turtle 400 & A&D UA-767PC Blood Pres. Monitor
eBay Link: http://tinyurl.com/yytwgma
Suggested for discussion:
1. Should vendors of these devices be concerned about their sale on site like eBay? Why or why not?
2. Are there any available business services that monitor the after-market sale of these devices?
3. Would/should vendors care about re-acquiring these devices?
4. How interesting / valuable would it be to conduct a security analysis on this device, report the findings to CERT, and publish at DefCon or BlackHat?
5. Does a diagram like the one below concern anyone?