Surgical robot hacks: Exploring the vulnerabilities

An engineering team at the University of Washington has been exploring the security vulnerabilities of a surgical robot to determine whether a malicious attack could hijack remotely-controlled operations in the future.

Their research, described in a recently published ArXiv paper, comes at a time when medical robot sales are increasing by 20 percent per year, according to an announcement.

The research was done using the Raven II, a next-generation teleoperated robotic system that is used solely for research and is not FDA approved--not the Da Vinci surgical system in wide use in the U.S. And during the experiments, the robot was merely moving blocks, not actually performing surgery.

However, as points out, the researchers found they could:

  • Send a single maliciously constructed data packet that would trigger the robot's emergency stop (E-stop) mechanism
  • Run a man-in-the-middle attack--removing, modifying or inserting commands--between surgeon and the robot
  • By randomly dropping command packets, cause the robot's arm movements to become jerky

The Da Vinci system uses use a different communication channel and typically is not connected to publicly available networks, which would make these types of cyberattacks more unlikely, the authors point out.

But if teleoperated robots will be used in battlefields and disaster areas with no secure alternative to networks or other communication channels that are easy to hack, these problems must be addressed, they say.

The vulnerability of medical devices to hacking has gotten a lot of attention, especially after former vice president Dick Cheney said he'd had the wireless function of his implanted cardiac defibrillator turned off and the Showtime program "Homeland" used hacking in a murder plot.

Computer networks at three prominent medical device makers--Medtronic, Boston Scientific and St. Jude Medical--were hacked in the first half of 2013.

The U.S. Food and Drug Administration's cybersecurity guidance for medical devices, published last October, calls on device makers to take cybersecurity into account from the initial design, and to submit documentation on known risks and controls developed to lessen those risks.

To learn more:
- read the paper (.pdf)
- find the announcement
- check out the article