Pierluigi Paganini April 26, 2015

Security experts have conducted an experimental to analyze cyber security threats against teleoperated surgical robots in telesurgery.

Technology will help humans to overwhelm any obstacle, one of them is the concept of space that for some activities could represent a serious problem. Let’s think for example to a life-saving surgery that could be performed by surgeons that are physically located everywhere in the world.

Telesurgery is a reality that could allow experts in one place controlling a robot in another that physically performs the surgical operation. The advantages are enormous in term of cost saving, and timely intervention of the medical staff, but which are the possible risks.

Telesurgery relies on sophisticated technology for computing, robotics and communications, and it’s easy to imagine the problem that could be caused by a threat actor.

The expert Tamara Bonaci and other colleagues at the University of Washington in Seattle have analyzed possible threats to the telesurgery, being focused on the possible cyber attacks that modify the behavior of a telerobot during surgery.

The first telesurgery took place in 2001 when a surgeon in New York successfully removed the gallbladder of a patient in Strasbourg in France, the medical equip relied on a dedicated fiber connection provided by a telecommunications company.

Due to the high costs of the surgery and of the dedicated connection, since 2001 numerous surgeons have carried out in remote operations by relying on ordinary communications links. This choice is significantly cheaper but presents many risks in term of privacy and security despite there are no recorded incidents.

This choice is significantly cheaper but presents many risks in term of privacy and security despite there are no recorded incidents.

Bonaci and its collaborators tested a telesurgery robot called Raven II, which was developed at the University of Washington. The Raven II is considered the excellence for telesurgery robots, it was designed to operate in extreme environments with a greater efficiency.

The Raven II is composed of two surgical arms remotely controlled by a surgeon, its control software runs on a single machine equipped with a software based on open standards (i.e. Linux and the Robot Operating System) and communications rely on the Interoperable Telesurgery Protocol.

Here we have the first problems, as I told you the telesurgery robot was designed to operate in extreme conditions characterized by low-quality connections over public networks. Potentially an attacker can access these connections and interfere with the medical staff. Bonaci and other experts tried to hack into the robot and the operations performed during a simulated surgery.

“Due to the open and uncontrollable nature of communication networks, it becomes easy for malicious entities to jam, disrupt, or take over the communication between a robot and a surgeon,” explained Bonaci.

The team evaluated the capability of the operators to complete simple tasks during an ongoing cyber attack that aimed to intercept and manipulate commands sent to and from the remote console.

The team of experts carried out three different types of attacks evaluating the response.

• The first type of attack consists in changing the commands sent by the operator to the telesurgery robot. The hackers deleted, delayed or re-ordered the commands sent through the console, making impossible to control the movement of the robot.
• The second type of attack modifies the intention of signals sent by the operator to the robot. The attacker changed the distance an arm should move or the degree it should rotate and so on. Obviously the effects were dramatic on the Robot.
• The third category of attack is a complete takeover of the robot, a hack that resulted quite simple because the Interoperable Telesurgery Protocol is publicly available. “We effectively took control over the teleoperated procedure,” said the experts.

As explained by the experts, an attacker has many other hacking options like forcing the robots to make movements that trigger an automatic stop mechanism or flooding the system with command to cause a Denial of Service attack.

“We are able to easily stop the robot from ever being properly reset, thus effectively making a surgical procedure impossible,” confirmed the team.

The most simple countermeasure to protect telesurgery systems is the adoption of encryption for the connections and according to the experts it could have a limited impact in term of performance.

“The use of encryption and authentication has low cost and high benefits to telerobotic surgery, mitigating many analyzed attacks,” they explained.

Let me add that encryption could anyway be circumvented with man-in-the-middle attacks that could allow attackers to intercept telesurgery traffic signals and manipulate it.

Another element to consider is the user privacy, we must consider that video encryption is not feasible due to the quality of connections, this means that an attacker can access video streaming for remote surgery with serious privacy issues.

No doubts, security in the medical environment requires a proper security posture to avoid incidents.

Pierluigi Paganini

(Security Affairs –  Telesurgery, hacking)