4. Why Prevent Resource Depletion?
• Attacks can cause serious fatalities to the patient
• The lifetime of IMD reduces from several years to weeks
• Replacing an IMD requires major surgery and will put
patient at risk
• Attacker may try to gain access to patient privacy
information
6. Features of Shield
Prevents against the resource depletion attacks .
Provides user authentication.
Provides confidentiality to the IMD data.
Acts as an gateway to the IMD.
Maintains the user log.
Acts as a session manager for IMD.
7. Security Model
6 3
Shield User TGS
5 4
1 2
Assumption:
Shared Secret shared securely
shared between the users.
AES used as encryption algorithm.
IMD Authenticator
8. User Authenticator TGS SHIELD
E[Name,Idc]
K * - SHARED SECRED
IDc - CLIENT ID
E[K*,Tickettgs]
E[IDc, Tickettgs]
E[K*,Ticketshield ]
E[IDc, Ticketshield]
Begin Communication
11. Authenticator
User
Request Access
Allow or Deny
Access
Verify the user with
Request TGS shared the
secret database User access
Shared Keys Authenticator Valid/ Pattern
Invalid
TGS Shared secret
12. Shield
Session Management:
Date and Time the user requested the access .
Duration of the user request.
Ticket lifetime.
User logs: [ Time, User, Session Time, Access/Denied ]
Establishes a secure communication channel between User and IMD by
acting as a relay.
Shield
User Secure Channel Secure Channel IMD
13. Start
Listen to the
incoming request
Deny Accept Accept
Check Validate
Block the
the log the user
connection
Initiate
Connection
Deny the
connection
Add to log
14. Security Issues Addressed
• Attacker Directly contacts the IMD
• Using Fake User ID and Password to authenticate
• Sending Expired Ticket to TGS or Shield Server
• Sending Fake Ticket to TGS or Shield Server
15. DEMO
SHIELD USER TGS
Communication between
devices via Sockets
Programing Language: Java
Java CryptoX package used for
security.
IMD AUTHENTICATOR
16. Test Cases
Expired Ticket
Invalid Ticket
Invalid User access Pattern
User Trying to Contact the IMD Directly
Session Management
17. Future Enhancements
System needs to handle simultaneous user request
The user and shield can to be implemented on a mobile device.
Incorporate Key Exchange.
Incorporate Log Auditing.
The Log File At the Shield can be synchronized with the
Authentication server
18. Sources
[1] Daniel Halperin, Thomas S. Heydt-benjamin, Kevin Fu, Tadayoshi Kohno, William H. Maisel
“Security and Privacy for Implantable Medical Devices”, IEEE Pervasive Computing, vol 7, no.1,
pp. 30-39, 2008.
[2] Daniel Halperin, Kevin Fu, Shaun S.Clark, Pacemakers and Implantable Cardiac
Defibrillators: Software Radio Attacks and Zero-Power Defenses, IEEE Symposium on Security
and Privacy 2008.
[3] http://www.ists.dartmouth.edu/events/abstract-kevinfu.html
[4] K. Fu, “Inside risks: reducing risks of implantable medical devices,” Communications of the
ACM,vol. 52, pp: 25-27, Jun. 2009.
[5] K. Malasri and L. Wang, “Securing wireless implantable devices for healthcare: ideas and
challenges,” IEEE Communications, vol. 47, pp: 74-80, Jul. 2009
[6] Xiali Hei, Xiaojiang Du, Jie Wu, Fei Hu “Defending Resource Depletion Attacks on
Implantable edical Devices”, Global Telecommunication Conference-GLOBECOM,pMp 1-5,
2010.
[7] B. E. Boser, I. M. Guyon, and V. N. Vapnik, “A training algorithm for optimal margin
classifiers,” In Proc. of the 5th Annual ACM Workshop on COLT, pp: 144-152, 1992.
[8] S. Cherukuri, K. K. Venkatasubramanian, and S. K. S. Gupta, “Biosec: a biometric based
approach for securing communication in wireless networks of biosensors implanted in the
human body,” In Proc. of Intl. Conf. on Parallel Processing Workshops, pp: 432-439, 2003.