Killed by code - mobile medical devices

Killed by code
Mob Sec Mobile Security Conference 4/11/2010 Herzliya
Danny Lieberman – Software Associates.
v6

Agenda
Mobile medical is hot
Applications
Threat scenarios
A threat model framework for secure code
Summary

Mobile medical devices are hot
Mobile consumer electronics creates potential for life-saving applications that are cheaper and more accessible than any other alternative.
The FDA is not there yet.
Neither is traditional IT security.

Mobile medical applications

Data tracking
Who: Patients, care-givers, doctors
What: Data acquisition
Why: Controlling symptoms of chronic illness requires tracking data over long periods of time.
Glucose
Heart rate
Blood pressure
Dosage (insulin, dopamine …)
...
Platforms : Smart-phones, data & location-based services.
Diabetes
Parkinson/MSA
Alzheimer
Asthma

Life-sustaining
Who: Patients
What: Implanted devices for cardiac pacing, defibrillation, drug delivery…
Why: Sustain life
Platforms : Embedded devices with mobile connectivity for remote monitoring & programming.
Chronic heart disease
Epilepsy
Diabetes
Depression
“…the latest technology in a full complement of patient-focused CRM products”

Threat Scenarios

Threat scenario template
An attacker may exploit vulnerabilities to cause damage to assets.
Security countermeasures mitigate vulnerabilities and reduce risk.
Attacker

Radio attack scenario
Threat T1 – A malicious attacker may exploit a clear text protocol and instruct an ICD to deliver a shock that would cause sudden cardiac death.
Vulnerability V1 – Clear text communications protocol
Countermeasure C1 – Encrypt network link Countermeasure C2 – Validate messages using secure tokens.
Attacker

Implantable Cardioverter Defibrillators
In 2008, approximately 350,000 pacemakers and 140,000 ICDs were implanted in the US.
Forecasted to $48BN in 2014.

Proof of concept attack:
Reverse-engineered commands
Intercepted vital signs, history
Reprogrammed therapy settings
DoS to deplete battery
Directed the ICD to deliver 137V shocks that would induce ventricular fibrillation in a patient.
2008 ICD vulnerability study

Device defect attack scenario
Threat T2 – An internal short circuit is undetected by the device control software and may be fatal.
Vulnerability V2 – Software doesn’t monitor hardware malfunctions
Countermeasure C3 – Notify customer service when hardware issue identified.Countermeasure C4 – Implement fail-safe function
Device malfunction

FDA device recalls
At least 6 recalls were probably caused by software defects.
The FDA issued 23 recalls of defective devices in H1/2010.
All were “Class 1” :
“reasonable probability that use of these products will cause serious adverse health consequences or death.”

Malicious code attack scenario
Threat T3 – Malicious code may be used in order to exploit multiple vulnerabilities and obtain patient information
Vulnerability V3 – USB, and/or Internet access enabled
Countermeasure C4 – Hardware toggle USBCountermeasure C5 – Network isolation
Countermeasure C6 – Software security assessment
Malware

Mobile clinical assistants
Mobile imaging analysis devices used by hospital radiologists had unplanned Internet access.
Over 300 devices infected by Conficker and taken out of service.
Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.

Where is the FDA?
The FDA has refocused regulation from patient safety to auditing manufacturers’ compliance with their own standards.
If the FDA has approved a medical device, consumers cannot sue.
“Riegel v. Medtronic “, 2008

A threat model security framework

Objectives
Audit medical device manufacturer safety/security standards.
Assess product risk
Understand what threats count
Prioritize countermeasures.
Drive profits

Assess product risk

Understand what threats count

Prioritize countermeasures
Product management has 1 dollar in their pocket:
Countermeasure C1 – Encrypt network link to ICDCountermeasure C21 – Validate POST requests with secure tokens.
Countermeasure C3 – Wearable “cloaker” to ensure that only authorized programmers can interact with the device.

Drive profits
Transparency means more eyeballs can look at issues.
More eyeballs reduces cost.
More eyeballs means safer devices.
Safer devices means more revenue.
Medical device threat models are transparent.

Sources
Riegel v. Medtronic, Inc. http://www.law.cornell.edu/supct/html/06-179.ZS.html
Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses.Daniel Halperin et al. Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, May 2008.http://www.secure-medicine.org/icd-study/icd-study.pdf
Software transparency in imbedded medical deviceshttp://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html
Prof. NirGiladi, Tel Aviv Souraski Hospital Neurology Department, personal communication on data tracking for MSA patients
Biotronik – cellular pacemaker, http://www.biotronik.com/en/us/19412

Killed by code - mobile medical devices

by Software Associates on Nov 05, 2010

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 149

Statistics

Killed by code - mobile medical devices Presentation Transcript