Security Performance of Internet of Medical Things

Internet of Medical Things is the internet connection of medical devices to perform services and processes to support the healthcare sector. Wearable Technology in Healthcare has seen tremendous growth in recent times. This is due to a global increase in the aging population, the need for disease management, and effective patient monitoring. The prevalent technology of wearable devices is Bluetooth technology due to its low cost, low energy, and size. Despite the growth recorded in the adoption of Bluetooth Wearable IoMT, there are concerns by users and other healthcare stakeholders about security and privacy issues with its adoption. Our paper presents a simulation of passive and active attacks on 3 wearable IoMT devices, followed by analysis and evaluation of the experiment outcomes. Thereafter, countermeasures for the identified weaknesses were provided. It was discovered that some of the standard security features of Bluetooth Technology to mitigate privacy and security issues were not implemented in some of the devices, which can result in data compromise in the devices. A security assessment framework was developed to assess the security of Bluetooth IoMT devices using the Bayesian Network model. This is used to rank devices, identify their vulnerabilities, and apply security measures on the identified vulnerabilities. Our paper further provides recommendations on improving the security of Bluetooth IoMT devices.


Introduction
Internet of Medical Things is the connection of medical devices to the internet to perform services and processes to support the healthcare sector. Wearable Healthcare devices, a branch of Internet of Medical Things, are regarded as one of the fastest-growing markets in recent times. This growth is expected to continue due to increase in device adoption, popularity, functionality, and innovation [1]. Although, there are security concerns about the continued adoption of IoT devices for healthcare, Internet of Medical Things still accounts for one-third of the Internet of Things [2]. This is because patients' health can be enhanced with IoMT adoption for patient remote monitoring. Also, Muck explains that IoMT devices may be an easy target for attackers to launch a distributed denial-of-service attack on [3].
Recent research shows that there is a dearth of effective IoT security assessment framework in the cyber-security space [4]. Moreover, for security to be implemented, it needs to be measurable. This shows the importance of developing a security assessment framework for Bluetooth Wearable Internet of Medical Things to measure the security posture of the devices. The developed Security Assessment Framework for Bluetooth Wearable IoMT will provide a relevant resource in the cyber-security space specifically for the healthcare sector and assist to mitigate security and privacy risks.
Previous work shows that security and privacy concerns are prevalent in the adoption of healthcare devices [5,6]. Furthermore, the security assessment frameworks that had been developed previously were broadly for the Internet of things generally however, none of the previous work focused on the security assessment framework for the Bluetooth Internet of Medical Things. Also, these general security assessment frameworks are not designed for specific device security features assessment or vulnerability impact assessment. Thus, they are not effective for assessing the Bluetooth IoMT devices.
The contributions of our paper include the investigation of the security performance of 3 Bluetooth technology-based IoMT devices and the development of Security assessment framework based on Bayesian Network model and NIST CVE. The Security Assessment Framework was used to assess security levels of the IoMT devices.

Related Work
Hale presented an open-source platform (Secuwear) for identifying vulnerabilities in wearable hardware and software [7]. The Secuwear platform is designed in a way to separate the Wearable Systems Network into different domains for ease of testing and isolating the vulnerabilities. This study elaborated on the connection between the wearable device and the mobile application on the Central device. The platform was used to simulate attacks on Bluetooth which included the Denial of Service and Man-in-the-Middle attacks. Our research however focuses on developing security assessment framework for Bluetooth IoMT and associating the implementation or non-implementation of Bluetooth NIST recommended security features. Furthermore, Yaseen describe a framework to detect, analyse, and mitigate Bluetooth vulnerabilities while simulating Man-in-the-middle attacks on No Input No Output (NiNo) devices [8]. Our research describes a framework for assessing security levels of Bluetooth IoMT based on their security features. This assessment framework provides a comparison of the security levels of the Bluetooth IoMT devices.
Melamed discussed Bluetooth technologies and connections. Also, the MitM attack was explained and simulated in the research. Although some Bluetooth vulnerabilities were considered, countermeasures and assessment framework for Bluetooth was not discussed [9].
Alsubaei designed a taxonomy and risk assessment model for security and privacy in IoMT. The study classifies security and privacy issues related to IoMT. The taxonomy used included IoT layers, possible intruders, compromise level e.t.c. [2]. The IoMT layers are mapped with the types of medical devices, the difficulty of attack, CIA compromise, attack method, compromise levels, and attack origin. Furthermore, vulnerability identification and quantification were done, the severity and likelihood of risks computed, and attack probability calculated. The study developed an assessment model where a user defines the weights of risks. Although, our research developed a security assessment framework, it however focuses on Bluetooth IoMT using Bayesian Network Model Methodology.
Conversely, Darwish proposed a model that will enhance risk and threats assessments in the IoMT environment [10]. The study identifies 6 major security goals in IoMT. This includes device integrity, data integrity, confidentiality, availability, privacy, and security usability. Also, the study proposes a taxonomy for the type of target data. These are data disclosure, alternation, inaccessibility, and process/control/code manipulation. The risk and threat analysis standard used was adapted from the HSG ISI. Furthermore, the Focus of interests (FoI) is identified for IoMT devices. This report categorised identified threats into static and dynamic properties. The static attributes are triggered only when a new device is added to the system while dynamic composability property is for regular, periodic assessment of the identified IoMT devices. The threat analysis further integrates the classification of data threats. Although, the drawback of this assessment model is that it does not include device security assessment. However, it focuses more on data security, which is of great importance in the healthcare sector, even though a compromised device may consequently make data less secure [11]. Our research further shows that the implementation of security features in Bluetooth IoMT directly impacts on the security levels of the devices.
Furthermore, Alsubaei developed a web-based assessment framework that identifies IoMT security threats, recommends security measures and further measures, and ranks two or more IoMT solutions by the degree of their security [12]. The Analytic Hierarchy Process multi-criteria decision-making method was used to process the multiple criteria derived from the use of security objectives and the solution security assessment. The limitations of this study include the complexity in defining 260 security attributes and stakeholders finding it difficult to understand them. Also, 3 stakeholders were identified in this study and the general IoMT environment was discussed without addressing specifically the peculiarities in Bluetooth IoMT devices.
Our paper focuses on developing a security assessment model for assessing security in Bluetooth IoMT devices. The assessment model ranks and assesses the devices based on the implementation of security features. The paper also presents additional measures to increase the security of the IoMT devices.

Experiment Design and Methodology
The paper investigates the security features in Bluetooth IoMT devices based on the NIST Recommendations and Bluetooth Standard Specifications. Experiments were carried out on 3 Wearable IoMT devices to assess the security features integrated into them. Also, vulnerabilities in the devices were identified and a security assessment framework was developed to assess the security levels of the IoMT devices.
The design and implementation of the experiment investigated the security features and vulnerabilities of the wearable IoMT devices. Figure 1 shows the design of the experiment conducted. The CSR 8510 USB dongles were used to simulate the Clone Peripheral and Clone Mobile device. The btlejuice tool was installed and setup on 2 Kali Linux Virtual machines. Also, the central device (Mobile device) and the IoMT devices (Fitbit Charge 3, 116Plus Smart watch and Braun iCheck7 Wrist Blood Pressure Monitor) are the BLE Wearable IoMT devices represented in the design.
These IoMT devices were termed Device A, Device B, and Device C. Reconnaissance and information gathering on the IoMT devices was done using bettercap tool, gattool and hcitool. Figure 2 shows the Passive Eavesdropping which was conducted first to sniff Bluetooth Packets between the connected Bluetooth devices (IoMT and the Mobile Device) while the active eavesdropping attack/ MitM attack was performed to connect with the Bluetooth devices and access confidential health data. The passive eavesdropping experiment was conducted using Ubertooth One, and packet Monitoring Tool (Wireshark) to capture Bluetooth Packet and analyse the packets. Furthermore, the MitM attack was simulated using btlejuice framework installation setup on 2 Kali Linux Virtual Machines and 2 CSR USB dongles.  Gattacker This is used to simulate a MitM attack by creating a copy of the attacked device as a clone, tricks the mobile application to connect to it, and then forward data exchanged on the cloned device with the mobile application.

CSR 8510
CSR 8510 are USB Bluetooth dongles used to simulate a man-in-the-middle test environment. One of the dongles was used to simulate the fake peripheral while the second was used to simulate the central device. These dongles were chosen for the experiment as they are fit for purpose and cost-effective. 6 Bettercap Bettercap: This tool was used for Bluetooth LE reconnaissance tasks.

Gattool
Gatttool: This is an open-source tool used to access the services and characteristics running on the Bluetooth device. Special GATT commands were selected because it can discover, read, and write Bluetooth device characteristics using this tool.

HCITool
Hcitool: This is an open-source tool used to send special commands to Bluetooth devices. It was used in this experiment because it can identify the Bluetooth BD-ADDR addresses and names of the Bluetooth devices used for the experiment and within range. . They are also used to measure health data such as heart rate, SpO2, and Sleep quality. However, they are not approved medical devices for healthcare monitoring. Authentication -Authentication deals with identifying the communicating devices. NIST recommends that authentication implemented in communication between the devices however, user's authentication is not provided in Bluetooth security standard. AES-CCM is used in Bluetooth low energy to provide packet authentication

2.
Confidentiality -This is preventing data compromise caused by eavesdropping and preventing unauthorised access to device and data. AES-CCM is used in Bluetooth low energy to provide confidentiality, 3.
Authorization -AES-CCM is used in Bluetooth low energy to provide confidentiality as well as per-packet authentication and integrity 4.
Message Integrity -AES-CCM is used in Bluetooth low energy to provide message integrity. Privacy Feature should be implemented to prevent devices associated with users over time.
Zhang described Bluetooth Privacy feature which assigns a unique 48-bit BD_ADDR bluetooth device address to a Bluetooth device [13]. The public device address is a 48-bit long number representing the company IP and unique ID assigned by the company. The random address on the other hand can be either a static random address or private random address. The random address is also called resolvable private address.
Zuo discussed the types of attacks as passive and active attacks [14].
In the experiments, the passive attacks are passive fingerprinting and passive eavesdropping -This is achieved through sniffing of the BLE packets communications between the 2 connected Bluetooth devices while the active attack is presented through the unauthorised access attack to the data transmission between the Central and Peripheral Bluetooth devices.
The 3 IoMT devices investigated operate in Bluetooth 4.0 technology.
The experiment screenshots only show data relevant to this research while other device specific data and other confidential data not relevant to this research has been hidden. The passive fingerprinting and eavesdropping were done using Ubertooth One and wireshark The Ubertooth One was used to capture Bluetooth Packets and was displayed with the Wireshark application. A pipe was created using the command mkfifo /tmp/pipe and in the Wireshark interface to capture the Bluetooth packets in Wireshark. The command ubertooth-btle -f -c /tmp/pipe was used to capture the ble packets in Wireshark. Figure 3 shows the successful implementation of passive fingerprinting and eavesdropping. This is accomplished using the Ubertooth one device and packets are captured with the Wireshark tool.
Gatttool: This tool was used to access the Bluetooth services and characteristics of the IoMT devices. Also, the characteristics data was retrieved using the gatttool commands; gatttool -b BDR_ADDR -I random (public), connect, and characteristics command. Also, the char-read-hnd command was used to read the characteristics handle data and the write command was used to write to the characteristics. This is depicted in Figure 4 while the gattacker tool scan was seen in     In this experiment, Figure 7 shows the process of attempting to access the data in IoMT device A using the btlejuice tool. This was not successful. Device B (Figures 8 -12).       Device C (Figures 13 -16). Figure 13 shows Gattool scan of device C while Figure 14 shows the gattacker scan of Device C. Figures 15 and 16 show successful access of the data in the IoMT device C which includes the health data of the user and the name of the user in plain text as highlighted.

Development of Security Assessment Framework for Bluetooth IoMT Devices
There are security features in Bluetooth technology that can be implemented to increase the security of the devices. The NIST security recommendations and Bluetooth features are used in Table 3 and Figures 3 -16 to model the probability of a successful MitM attack and design of the security assessment. CVSS (Common Vulnerability Scoring System) can be used to assess the vulnerabilities of a system [15].
According to Padgette, Bluetooth standard specifies 5 basic security features namely, Authentication, Confidentiality, Authorization, Message Integrity and Pairing or Bonding [16].

Bayesian Networks and Application in Security Assessment Framework
Bayesian Network is part of probabilistic graphical model which uses directed acyclic graph to depict cause and effect relationships. BN is a causal probabilistic model that is used for cyber security risk assessment because it captures complex interdependencies in the risk factors and data capture based on expert judgement [17].
Bayes' theorem is written as: p(A|B) = p(B|A) * p(A)/p(B) p(A|B) is the posterior, i.e., the probability of event A occurring given that event B has occurred. P(A) is the prior, i.e., the probability of event A occurring.
Bayesian Networks is used to develop a security assessment framework for Bluetooth IoMT devices based on the cause effect relationship model. This shows that the implementation of security features has corresponding effect on the security levels of the device. The overall security of a Bluetooth IoMT device is the summation of all the security features that the device has. A device that has more of the Bluetooth security features implemented is expected to be more secure than another device with less security feature implementation. Hence, the developed framework can be used to assess the security of the devices.
This implies that the more the Vulnerabilities found in a device design the less secure the device is. V2, V3, and V4 are the most critical vulnerabilities as they may be exploited to launch a MitM attack which can also lead to other attacks. The Man-in-the-Middle attack was used for the security assessment design for IoMT because of the possible impact such attacks can have on medical devices and its impact on the device users. These may range from user confidentiality and privacy compromise to health data manipulation which can be fatal. Figure 17 shows the Bayesian Network Graph of the Causal-Consequence relationship for the implementation or non-implementation of the security features A, B, and C. The CVSS scores for the identified MitM attack vulnerabilities were used for this model. Although the device manufacturer and application developer may implement some additional security features in the device design, the non-implementation of these standard Bluetooth Features was considered, and the uncertainty of other security measures was integrated into the design by applying the NIST CVSS vulnerability scores.  Bluetooth device. The model shows that the MitM attack success rate is 92%. Figure 19 shows the impact of implementing Authentication on Man-in-the-Middle attack success. The Model shows a 6% decline (86%) in the Man-in-the-Middle attack success rate as against 92% earlier. Thereby, increasing the security level of the device.

Security Assessment Framework Design for Bluetooth
IoMT Devices Figure 20 is the Security Assessment Framework Model for Bluetooth IoMT devices using Bluetooth Security Features. This model can be used to assess the security levels of the devices based on the implementation or non-implementation of current Bluetooth security features. The model shows that the implementation of all required security measures shows the probability of a High-Security Level of 80% and a Medium Security Level of 20%. Although none of the 3 IoMT devices investigated in this research has all the security features, current research work shows that integration of these features and application-level encryption and authentication will increase the security levels of Bluetooth IoMT devices. Furthermore, the framework can be used to assess and rank the security levels of Bluetooth IoMT devices while implementing other security measures to increase device security.

Evaluation of the Proposed Security Assessment
Framework The evaluation of the security assessment framework developed was completed using Devices A, B, and C which was investigated in section 3.1. The security levels of the devices are determined, and device ranking was also completed using the framework. Furthermore, a Pareto chart shows the comparison of the 3 devices using this framework.
Device A Security Level  Figure 21 shows that device A's privacy feature was not set and ADV_DIRECT_IND was not set. On the other hand, the security features MitM flag was set, Secure Connections was set, and the association model of Passkey implemented for this device. Given that the critical security features of MitM flag, Secure Connections, and use of the Passkey Association Model were implemented for device A, the outcome of the security assessment for device A was high with security probability level of 65% (High). Although to achieve a higher security level, all the security features are recommended with additional implementations at the application level and device design discussed in section 4.

Device B Security Level
The privacy feature for device B was not implemented fully, although the sniffed packet showed the BD_ADDR as random, randomisation was not implemented. Also, ADV_DIRECT_IND was not set on, MitM flag was not set, secure connections' feature was implemented whereas the Just Works association model was used for pairing. Although pairing for this device required application-level authentication, the experiment shows that the non-implementation of either passkey, OOB, or Numeric Key resulted in the success of the MitM attack launched against this device. The security level assessment for this device using the framework is low with a low security level probability of 70%. In the same vein, the security level for device B can be increased with the implementation of all identified security features, and other application-level security mechanisms.
Device C Security Level Figure 23 shows that the privacy feature for device C is not set, ADV_DIRECT_IND is not set, MitM flag was not set, secure connections was implemented, and the Just Works association model was used for pairing. The security level of device C is low given that the security probability score from the security assessment framework is 72% low. Conversely, to achieve a higher security level, further security features and mechanisms can be implemented.     Figure 24 shows the possible security levels for all the 3 IoMT devices that were investigated in this research. To analyse the Pareto chart, a framework benchmark device model was included as a fourth device to aid comparison. This framework device model has all the security features implemented to simulate outcomes if the device implements all security features. Furthermore, the Pareto chart shows that the most secure of all the 3 devices is Device A, while Devices B and C has about the same security level with device B slightly higher than Device C security level. In the same vein, the experiment analysis of Table 1 also attests to this deduction.

Security Features in Bluetooth Technology and Its Implementation in Wearable Bluetooth IoMT
There are Bluetooth security features recommended to mitigate Confidentiality threat, which is the Privacy feature (Private BD_ADDR). It randomises the MAC address and used to mitigate identity tracking. Also, the Bluetooth LE Secure Connections is more secure than the earlier Bluetooth LE legacy. Bluetooth Secure Connection uses authenticated connection and pairing with encryption. It also uses the Elliptic Curve Diffie Hellman Cryptography for the key generation. The Passkey pairing association model protects against the MitM attack by displaying a 6-digit passkey on one of the devices which should be input on the second Bluetooth device. The OOB process also protects against MitM by using other transmission means such as NFC, for authentication.
The Numeric Comparison provides some protection against MitM attacks by displaying 6 digits on the 2 devices and requiring the user to confirm if both numbers are the same. This is done by clicking a yes or no on the device screen. Just Works is the least secure of all the pairing models. It does not require the user to authenticate.
Other proposed security implementations to mitigate MitM attack are shown in the highlighted part of Figure 27. GATT-Based ATT attribute authentication is recommended on IoMT devices. Furthermore, Bluetooth anomaly-based detection intrusion detection system is another proposed security implementation for Bluetooth IoMT devices. Furthermore, Section 3.1 above detailed other proposed security measures that may increase the security of Bluetooth IoMT devices.
It may be argued that integrating additional security implementations on these devices may require additional processing and computational power, however achieving high-security levels is critical to the continual adoption of the internet of things in healthcare. Moreover, recent technological advancements have seen the advent of miniature devices with high computing power. Therefore, a high-security level implementation by design can be adopted for IoMT devices.

Result and Discussion
The experiment outcome, and the security assessment framework evaluation show that Device A was the most secure of all the devices. Other relevant observations show that the Bluetooth privacy feature for Device A was not implemented and the passkey used for pairing was 4 digits long instead of the recommended 6 digits. Furthermore, Passive Eavesdropping attack was possible on this device as the MAC address, device information, services, and characteristics, and some data were captured, however, the personal identifiable user's data was not revealed like it was observed with device C. Hence, this shows that the implementation of privacy feature, use of six-digit passkey and additional security can be used to increase the security level of the device A.
Conversely, device C is a Bluetooth wearable blood pressure Monitor on which experiments and security assessment tests were done. The researcher's name was captured in clear text while the blood pressure and heart rate was displayed in Hexadecimal. The Hex value was converted to decimal to reveal the user's health data. Also, it was observed that most of the Bluetooth security recommended features such as privacy feature, MitM flag on, pairing with authentication were not implemented on this device. Although, device B has the same security limitations as Device C but device B's privacy feature was set as "on" in the experiment. Although, it was discovered that the privacy feature was not fully implemented. Hence, devices B and C have the same security level asides that the user's name was not seen in clear text in Device B.
Melamed discussed Bluetooth technologies and simulated MitM attack. Although, some Bluetooth vulnerabilities were considered, countermeasures and assessment framework for Bluetooth was not discussed [9]. Our paper however, simulated MitM attack and further developed security assessment framework for Bluetooth IoMT devices. Similarly, Yaseen also simulated a MiTM attack and developed an approach for detecting and analysing MiTM attacks (MARC) [8] but is different from our work which also focuses on the development of a security assessment framework to measure the security levels of Bluetooth devices.

Conclusion
This study shows the effects of implementing Bluetooth security features on the security levels of Bluetooth IoMT devices. Bayesian Network model was used to implement the security assessment framework to assess the security levels of the IoMT devices in the study. It was observed that the devices that had more security features implemented on them had higher security levels compared to devices that had less security features implemented.

Recommendation
The following are recommended based on the outcome of this study: The attribute permissions for devices that transmit sensitive data such as IoMT should be set to encryption required, authorisation required, and authentication required. Although this may have a significant impact on the user experience as there is usually a trade-off between security and user experience. Hence, it behoves on the device manufacturers and developers to ensure adequate security is integrated into wearable Bluetooth IoMT. Consequently, this will ensure that the read and notification requests for sensitive data such as healthcare data are authenticated.
Implementation of Application-Level Authentication and Encryption. This is meant to mitigate MitM attacks and prevent unauthorised access to sensitive data.
Use of Received Signal Strength Indicator (RSSI) to differentiate between a cloned device and legitimate BLE nodes as it is expected that the attacker's distance to the legitimate device user and devices will be more.
Use of Bluetooth Anomaly-Based Intrusion Detection System to detect abnormal operations in IoMT Bluetooth connections and to advise users to respond accordingly.
Biometric authentication may be integrated to the IoMT device chip to enhance the authentication and authorisation process.
Stakeholders in healthcare such as doctors, patients, and healthcare institutions should be aware of the security recommendations of the medical devices to mitigate attacks that can be fatal depending on the motivation of the attacker.

Future Work
This research work focuses on the security of Bluetooth IoMT devices. Future work will be to analyse the security of the IoMT applications installed on smart devices and cloud applications. In the same vein, future work will be on the extension and implementation of the security assessment framework to other network technologies relevant to IoMT such as wireless, Zigbee, and ANT+. Furthermore, the proposed countermeasures discussed in this research can be implemented on simulated open-source platforms and their performance assessed. Other areas of future work can explore the simulation of other attacks.