Security analysis of an IoT system used for indoor localization in healthcare facilities

摘要

In today's world, the rapid advancement of technology allows us to find new solutions to old problems in critical areas, namely patient and staff tracking in healthcare facilities. The medical staff within these facilities are in an environment where they depend on immediately knowing the location of a patient or other medical staff. McAllister et al. [1] proposed a solution named LoCATE (Localization of Health Center Assets Through an IoT Environment) which uses existing technology to track all patients and medical staff in near real time. LoCATE makes use of the current wireless networks (e.g., WiFi) within a healthcare facility by using edge node technology as its tracking solution. It can locate an object within three to five feet of its calculated position. The ubiquity of WiFi infrastructure in healthcare facilities makes it an attractive option to use, as the backbone for a patient and staff tracking system. However, Internet of Things (IoT) devices and edge nodes create security holes in networks and leak data to the open world. This paper aims to analyze what security holes and data leaks LoCATE creates in a healthcare facility. In this paper, we show the dangers of using simple and default passwords, the need to physically secure edge nodes, and the importance of securing data before transmission. We exploit the system's weak security measures by forging edge node data, gaining unauthorized access, performing denial of service attack, and launching other attacks. We analyze the successfulness of these attacks to offer mitigation techniques for future devices located in other critical areas similar to the healthcare facilities.