Why Prevent Resource Depletion?• Attacks can cause serious fatalities to the patient• The lifetime of IMD reduces from several years to weeks• Replacing an IMD requires major surgery and will put patient at risk• Attacker may try to gain access to patient privacy information
Proposed SolutionIMD SHIELD WIRELESS ATTACKER
Features of Shield Prevents against the resource depletion attacks . Provides user authentication. Provides confidentiality to the IMD data. Acts as an gateway to the IMD. Maintains the user log. Acts as a session manager for IMD.
Security Model 6 3Shield User TGS 5 4 1 2 Assumption: Shared Secret shared securely shared between the users. AES used as encryption algorithm. IMD Authenticator
User Authenticator TGS SHIELD E[Name,Idc] K * - SHARED SECRED IDc - CLIENT ID E[K*,Tickettgs] E[IDc, Tickettgs] E[K*,Ticketshield ] E[IDc, Ticketshield] Begin Communication
TICKET FORMATAuthentication Client Server E[K*, IDC, TIMESTAMP, LIFETIME]
Authenticator User Request Access Allow or Deny Access Verify the user with Request TGS shared the secret database User accessShared Keys Authenticator Valid/ Pattern Invalid TGS Shared secret
Shield Session Management: Date and Time the user requested the access . Duration of the user request. Ticket lifetime. User logs: [ Time, User, Session Time, Access/Denied ] Establishes a secure communication channel between User and IMD by acting as a relay. Shield User Secure Channel Secure Channel IMD
Start Listen to the incoming request Deny Accept Accept Check Validate Block the the log the userconnection Initiate Connection Deny the connection Add to log
Security Issues Addressed• Attacker Directly contacts the IMD• Using Fake User ID and Password to authenticate• Sending Expired Ticket to TGS or Shield Server• Sending Fake Ticket to TGS or Shield Server
DEMOSHIELD USER TGS Communication between devices via Sockets Programing Language: Java Java CryptoX package used for security. IMD AUTHENTICATOR
Test Cases Expired Ticket Invalid Ticket Invalid User access Pattern User Trying to Contact the IMD Directly Session Management
Future Enhancements System needs to handle simultaneous user request The user and shield can to be implemented on a mobile device. Incorporate Key Exchange. Incorporate Log Auditing. The Log File At the Shield can be synchronized with the Authentication server
Sources Daniel Halperin, Thomas S. Heydt-benjamin, Kevin Fu, Tadayoshi Kohno, William H. Maisel“Security and Privacy for Implantable Medical Devices”, IEEE Pervasive Computing, vol 7, no.1,pp. 30-39, 2008. Daniel Halperin, Kevin Fu, Shaun S.Clark, Pacemakers and Implantable CardiacDefibrillators: Software Radio Attacks and Zero-Power Defenses, IEEE Symposium on Securityand Privacy 2008. http://www.ists.dartmouth.edu/events/abstract-kevinfu.html K. Fu, “Inside risks: reducing risks of implantable medical devices,” Communications of theACM,vol. 52, pp: 25-27, Jun. 2009. K. Malasri and L. Wang, “Securing wireless implantable devices for healthcare: ideas andchallenges,” IEEE Communications, vol. 47, pp: 74-80, Jul. 2009 Xiali Hei, Xiaojiang Du, Jie Wu, Fei Hu “Defending Resource Depletion Attacks onImplantable edical Devices”, Global Telecommunication Conference-GLOBECOM,pMp 1-5,2010. B. E. Boser, I. M. Guyon, and V. N. Vapnik, “A training algorithm for optimal marginclassifiers,” In Proc. of the 5th Annual ACM Workshop on COLT, pp: 144-152, 1992. S. Cherukuri, K. K. Venkatasubramanian, and S. K. S. Gupta, “Biosec: a biometric basedapproach for securing communication in wireless networks of biosensors implanted in thehuman body,” In Proc. of Intl. Conf. on Parallel Processing Workshops, pp: 432-439, 2003.