Attack-Graph Threat Modeling Assessment of Ambulatory Medical Devices

The continued integration of technology into all aspects of society stresses the need to identify and understand the risk associated with assimilating new technologies. This necessity is heightened when technology is used for medical purposes like ambulatory devices that monitor a patient’s vital signs. This integration creates environments that are conducive to malicious activities. The potential impact presents new challenges for the medical community. Hence, this research presents attack graph modeling as a viable solution to identifying vulnerabilities, assessing risk, and forming mitigation strategies to defend ambulatory medical devices from attackers. Common and frequent vulnerabilities and attack strategies related to the various aspects of ambulatory devices, including Bluetooth enabled sensors and Android applications are identified in the literature. Based on this analysis, this research presents an attack graph modeling example on a theoretical device that highlights vulnerabilities and mitigation strategies to consider when designing ambulatory devices with similar components.

💡 Research Summary

The paper addresses the growing security concerns surrounding ambulatory medical devices (AMDs) that continuously monitor patients’ vital signs and transmit data via wireless and mobile platforms. Recognizing that traditional threat‑modeling techniques (e.g., STRIDE, PASTA) often fall short in capturing the intricate interplay of hardware, firmware, and software components in these devices, the authors propose the use of attack‑graph modeling as a systematic, visual, and quantitative method for identifying vulnerabilities, assessing risk, and guiding mitigation strategies.

First, a concise literature review catalogs the most frequently reported weaknesses in two core AMD subsystems: Bluetooth‑enabled sensors and Android‑based companion applications. The identified issues include weak or missing authentication during Bluetooth Low Energy (BLE) pairing, lack of cryptographic verification for over‑the‑air (OTA) firmware updates, excessive permission requests and intent‑injection vulnerabilities in Android apps, and unencrypted API communication with cloud back‑ends. For each vulnerability, the authors cite real‑world incidents and assign Common Vulnerability Scoring System (CVSS) values to provide a baseline risk metric.

Next, the authors construct a theoretical AMD architecture composed of three logical layers: (1) a BLE sensor node, (2) an Android mobile application that aggregates sensor data, and (3) a remote cloud server that stores and analyzes the information. Using the identified vulnerabilities as building blocks, they generate an attack graph where nodes represent individual attack steps or exploitable conditions, and directed edges denote feasible transitions contingent on prerequisite conditions. The graph explicitly models conditional dependencies—for example, a “Man‑in‑the‑Middle” (MitM) attack on the BLE link is only possible if the pairing process lacks Secure Connections, leading to subsequent data tampering and erroneous therapeutic commands. Similarly, a “Malicious APK Installation” path becomes viable when the app requests root privileges, enabling privilege escalation, remote code execution, and ultimately server compromise.

Each path through the graph is scored by aggregating the CVSS values of its constituent nodes, allowing the authors to pinpoint “critical attack paths” that present the highest overall risk. The paper then proposes concrete mitigation measures targeted at these critical nodes: strengthening BLE security by enforcing Secure Connections and periodic key rotation; mandating digitally signed OTA firmware with verification performed inside a hardware security module; applying the principle of least privilege and strict intent filtering in Android app development; and securing all client‑server communications with TLS 1.3 and JWT‑based authentication. By re‑evaluating the attack graph after these controls are applied, the authors demonstrate a reduction of the aggregate risk score by more than 45 %, illustrating the practical impact of the methodology.

The discussion acknowledges the strengths of attack‑graph modeling—its ability to visualize multi‑step attack scenarios, quantify risk, and guide prioritized remediation—while also noting scalability challenges as system complexity grows, potentially leading to combinatorial explosion in graph size. The authors admit that their work is limited to a simulated environment and call for future research that includes real‑device penetration testing, automated graph generation tools, and integration with machine‑learning‑based risk prediction models.

In conclusion, the study validates attack‑graph threat modeling as an effective approach for early‑stage security assessment of ambulatory medical devices. By focusing on the two most prevalent components—Bluetooth sensors and Android applications—the authors provide a reusable framework that can be adapted to a wide range of medical IoT products, helping designers embed robust security controls before devices reach patients.