RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
Have they. Maybe.
There has been people who have jailbroken the firmware. They can make a resmed airsense 10 autoset run like a ivap or ventilator.
So if people are doing that then there will be people looking at if they can hack them. I'm sure there is a hacker or 2 with sleep apnea that would not be able to resist trying.
Anything especially if exposed to a network can be exposed to hackers.
Search engines like shodan and zoomeye make this even more likely as they index anything and everything they find on an ip address. They have indexed Power plants, traffic lights, and hospital systems to name a few.
Hackers went and do go wild with these. You might get a nice hacker just seeing if they can and then warning someone or someone who sees what settings they can change.
I would like to know how much time was spent making sure a CPAP's Web facing backed was checked for security issues.
They may not change the machine. But it is a way into your internal network if connected to wifi. Who knows what they could do then.
To think it can't or won't is kidding yourself.
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
CPAP machines do not connect to Wi-Fi. The modem inside these PAPs connect to mobile cellular.
INFORMATION ON APNEA BOARD FORUMS OR ON APNEABOARD.COM SHOULD NOT BE CONSIDERED MEDICAL ADVICE. ALWAYS SEEK THE ADVICE OF A PHYSICIAN BEFORE SEEKING TREATMENT FOR MEDICAL CONDITIONS, INCLUDING SLEEP APNEA. INFORMATION POSTED ON THE APNEA BOARD WEBSITE AND FORUMS ARE PERSONAL OPINION ONLY AND NOT NECESSARILY A STATEMENT OF FACT.
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
(07-05-2021, 04:51 PM)SarcasticDave94 Wrote: CPAP machines do not connect to Wi-Fi. The modem inside these PAPs connect to mobile cellular.
Thanks. Wasn't exactly sure if they were just 4g or had option to wifi connect.
I don't have one yet. Just got my perscription so still learning about them.
But if the mobile data is connected it will be internet facing with an ip address so can be discovered and hacked.
They appear to run the machines on linux/Unix. So could be vulnerable to a known exploit still.
Then there is the remote access to company and doctors. Logins can be bruteforced or exploited.
I personally will be keeping mine off the internet. Last thing I need is some kid on the otherwise of the world seeing what turning everything to max looks like.
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
They are not connected to the internet. The manufacturers use a subscription cellular service that requires the machine's serial number for the connection to complete. Since you can't get a loan based on your CPAP data, what would justify the time and effort for one's sleep data settings?
07-05-2021, 07:25 PM
(This post was last modified: 07-05-2021, 07:26 PM by GuyScharf.)
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
The CPAP machines themselves do not connect to the internet. They can call out, via cellular connection, to the manufacturer's site and report information. They cannot take incoming calls. Now the manufacturer's site will be web-accessible but your data will be mixed in with that of a million others. The manufacturer's site theoretically could be hacked and told to cause every machine that calls in to change something, but why would anyone bother?
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
(07-05-2021, 06:41 PM)Crimson Nape Wrote: They are not connected to the internet. The manufacturers use a subscription cellular service that requires the machine's serial number for the connection to complete. Since you can't get a loan based on your CPAP data, what would justify the time and effort for one's sleep data settings?
The challenge is all the incentive they need. Either way still needs to have IP. Which means it can be scanned and services found.
07-05-2021, 08:08 PM
(This post was last modified: 07-05-2021, 08:12 PM by ThatGuy.)
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
God i need another coffee. Didn't see the cellular service part.
Ok so had a look. New models can use wifi, bluetooth and cellular.
So the wifi and bluetooth components could be hacked.
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
(07-05-2021, 07:25 PM)GuyScharf Wrote: They cannot take incoming calls.
If not, I'm not sure how the DME's tech loaded my Rx to the new AirSense 11. Out-of-the-box, it was set to 5-20cm; now it's at my Rx of 8-12cm.
-Jeff
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
(07-05-2021, 08:44 PM)jprestonian Wrote: If not, I'm not sure how the DME's tech loaded my Rx to the new AirSense 11. Out-of-the-box, it was set to 5-20cm; now it's at my Rx of 8-12cm.
-Jeff
Your tech made a change to your settings, this did *NOT* result in an immediate update to your device.
The settings the tech changed updated files on ResMed's servers.
The next time your device connected to ResMed servers, it uploaded your therapy data, then checked to see if there were any updates for it. There were, so it applied the changes.
At no time did your tech or anybody interactively connect to your machine.
RE: Has Anyone Experienced Malicious Hacking of Their CPAP Machine Remotely?
(07-06-2021, 09:02 AM)Dog Slobber Wrote: Your tech made a change to your settings, this did *NOT* result in an immediate update to your device.
The settings the tech changed updated files on ResMed's servers.
The next time your device connected to ResMed servers, it uploaded your therapy data, then checked to see if there were any updates for it. There were, so it applied the changes.
At no time did your tech or anybody interactively connect to your machine.
That may be the case, but if so, the tech was able to push that "call home" command, 'cause it changed
in seconds while we were on the phone together. It didn't happen during the "normal" noonish schedule where the PAP reports to the mothership, as the telemedicine set-up appointment was at 2 p.m., and we were several minutes late getting started, as one tech had passed me off to another before I even got called. It seems feasible that perhaps the PAP checks in more frequently if it's still set at the default pressure range, of course.
Receiving packets across a cell network which cause a near-instantaneous change on the device may not be "interactive," but it's not something I've seen done until now, with the AirSense 11.
-Jeff