Harbor Labs was contracted by a manufacturer of a specialized surgical robotics system to conduct a pre-market cyberthreat analysis (CTA) in support of their 510(k) submission. The analysis encompassed multiple assets beyond just the robot itself, including control software, a cloud backend, attached 3rd-party peripherals, and the network connectivity between each of these endpoints. Like many modern medical devices, and virtually all surgical robotics, this was a true system-of-systems that required a diverse set of pen tests and a multidisciplined security analysis.
While the client device was generally secure, requiring only a few recommendations from Harbor Labs to remediate a short list of discovered vulnerabilities, pen testing revealed that one of the video display peripherals had a critical vulnerability. The firmware on this 3rd-party device, which was an essential component of the overall surgical system, was found to have an unauthorized access vulnerability that if exploited allowed for root access. It would further allow an attacker to read any data on the file system, including wireless network credentials, and mount the system partition as writable, enabling arbitrary modifications to the firmware. Harbor Labs assigned the vulnerability a CVSS v 3.1 score of 9.8.
Harbor Labs staff worked with the client to identify other peripherals that could serve as a secure alternative. Simultaneously, Harbor Labs worked with both the client and the FDA on the responsible disclosure of the vulnerability, consulting with the CDRH Director of Medical Device Cybersecurity personally to determine how other devices might be similarly affected.
By identifying the vulnerability in the premarket CTA process, Harbor Labs ensured that the client’s system design was secure, and that their 510(k) submission would reflect a thorough, expert security analysis. Moreover, by eliminating the vulnerability premarket, the client averted the debacle of having it discovered postmarket, impacting both clinical operations and client reputation.
Harbor Labs Chief Scientist Dr. Avi Rubin identifies some of the most common reasons why the FDA rejects the cybersecurity content of regulatory submissions.
HarborLabs CEO Nick Yuran distinguishes cybersecurity from cyberscience, and explains why understanding the shared scientific disciplines of regulators and security professionals are important in achieving positive regulatory outcomes.
Harbor Labs Director of Firmware Security Dr. Paul Martin describes the strategies, tools, and methodologies used at Harbor Labs when performing source code comparisons in support of litigation consulting and investigation engagements.