Security and Privacy in Implantable Medical Devices
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Security and Privacy in Implantable Medical Devices

on

  • 106 views

This slide deck was presented at the 2014 IEEE Security and Privacy Symposium in San Jose, CA. We discuss security and privacy with respect to implantable medical devices. Specifically, we present ...

This slide deck was presented at the 2014 IEEE Security and Privacy Symposium in San Jose, CA. We discuss security and privacy with respect to implantable medical devices. Specifically, we present trends in the academic literature, research challenges, and emerging threats.

Statistics

Views

Total Views
106
Views on SlideShare
106
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security and Privacy in Implantable Medical Devices Presentation Transcript

  • 1. SoK: Security and Privacy  in Implantable Medical Devices  Michael Rushanan1, Denis Foo Kune2, Colleen M. Swanson2, Aviel D. Rubin1 1. Johns Hopkins University 2. University of Michigan 0   This work was supported by STARnet, the Dept. of HHS under award number 90TR0003-01, and the NSF under award number CNS1329737, 1330142.
  • 2. What is an Implantable Medical Device? •  The FDA strictly defines a medical device •  Device –  Embedded system that can sense and actuate •  Implantable –  Surgically placed inside of a patient’s body •  Medical –  Provides diagnosis and therapy for numerous health conditions 1   Neuro- stimulator Cochlear implant Cardiac Insulin Pump Gastric Simulator Various IMDs Trigger M Se S
  • 3. 2   Implantable Medical Devices are not your typical PCs
  • 4. Implantable Medical Devices are not your typical PCs 3  
  • 5. Implantable Medical Devices are not your typical PCs 4   •  There exists resource limitations –  The battery limits computation and is not rechargeable •  There are safety and utility concerns –  The IMD must be beneficial to the patient and elevate patient safety above all else –  Security and privacy mechanisms must not adversely affect the patient or therapy •  Lack of security mechanisms may have severe consequences •  IMD’s provide safety-critical operation –  Must fail-open in the context of an emergency
  • 6. Research Questions •  How do we provide security and privacy mechanisms that adequately consider safety and utility? •  When do we use traditional security and privacy mechanisms or invent new protocols? •  How do we formally evaluate security and privacy mechanisms? •  Novel attack surfaces 5  
  • 7. A Healthcare Story 6   Alice Cardiac Carl Nurse Patient
  • 8. Cardiac Carl’s Condition 7   •  Atrial Fibrillation •  Implantable Cardioverter Defibrillator •  His ICD is safety-critical Cardiac Carl Atrial Fib.
  • 9. Alice and Carl’s Relationship 8   visits accesses ICD w/ programmer receives private data adjusts therapy Where are the security and privacy mechanisms? Cardiac Carl Nurse Alice
  • 10. Alice and Carl’s Relationship 9   visits! accesses ICD! send private data! adjust therapy! Carl! Alice! Mallory Hacker Elite
  • 11. Alice Mallory and Carl’s Relationship 10   Cardiac Carl Nurse Alice Mallory wireless communication [Halperin, S&P, 08], [Li, HealthCom, 11] eavesdrop forge modify jam
  • 12. Attack Surfaces 11   Cardiac Carl Telemetry Interface Software Hardware/Sensor Interface
  • 13. Security and Privacy Mechanisms 12   •  Security and Privacy mechanisms exist in standards –  Medical Implant Communication Services –  Wireless MedicalTelemetry Service •  These mechanisms are optional •  Interoperability might take priority of security [Foo Kune, MedCOMM, 12]
  • 14. H2H: authentication using IPI Rostami et al. [45], CCS ’13 Attacks on OPFKA and IMDGuard Rostami et al. [19], DAC ’13 Using bowel sounds for audit Henry et al. [46], HealthTech ’13 OPFKA: key agreement based on overlapping PVs Hu et al. [47], INFOCOM ’13 Namaste: proximity- based attack against ECG Bagade et al. [23], BSN ’13 ASK-BAN: key gen and auth using wireless channel chars Shi et al. [48], WiSec ’13 FDA MAUDE and Recall database analysis Alemzadeh et al. [49], SP ’13 Attacks on friendly jamming techniques Tippenhauer et al. [50], SP ’13 MedMon: physical layer anomaly detection Zhang et al. [51], T-BCAS ’13 Ghost Talk: EMI signal injection on ICDs Foo Kune et al. [22] SP ’13 Key sharing via human body transmission Chang et al. [52], HealthSec ’12 Security and privacy analysis of MAUDE Database Kramer et al. [53], PLoS ONE ’12 BANA: authentication using received signal strength variation Shi et al. [54], WiSec ’12 Side-channel attacks on BCI Martinovic et al. [55], USENIX ’12 PSKA: PPG and ECG-based key agreement Venkatasubramanian et al. [56], T- ITB ’10 Wristband and password tattoos Denning et al. [39], CHI ’10 ECG used to determine proximity Jurik et al. [57], ICCCN ’11 ICD validation and verification Jiang et al. [58], ECRTS ’10 Shield: external proxy and jamming device Gollakota et al. [59] SIGCOMM ’11 BioSec extension for BANs (journal version) Venkatasubramanian et al. [60], TOSN ’10 Eavesdropping on acoustic authentication Halevi et al. [61], CCS ’10 Wireless attacks against insulin pumps Li et al. [18], HealthCom ’11 Authentication using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al. [1], HealthSec ’10 IMDGuard: ECG-based key management Xu et al. [62], INFOCOM ’11 Defending against resource depletion Hei et al. [63], GLOBECOM ’10 PPG-based key agreement Venkatasubramanian et al. [64], MILCOM ’08 Audible, tactile, and zero power key exchange Halperin et al. [12], SP ’08 Wireless attacks against ICDs Halperin et al. [12], SP ’08 Proximity- based access control using ultrasonic frequency Rasmussen et al. [65], CCS ’09 Security and privacy of neural devices Denning et al. [66], Neurosurg Focus ’09 Biometric requirements for key generation Ballard et al. [67], USENIX ’08 ECG-based key agreement Venkatasubramanian et al. [68], INFOCOM ’08 Cloaker: external proxy device Denning et al. [69], HotSec ’08 BioSec extension for BANs Venkatasubramanian and Gupta. [70], ICISIP ’06 BioSec: extracting keys from PVs Cherukuri et al. [71] ICPPW ’03 Authentication and secure key exchange using IPI Poon et al. [72], Commun. Mag ’06 Biometric and Physiological Values Distance BoundingWireless Attacks Software/Malware Anomaly DetectionOut-of-Band External Devices Emerging Threats Food-grade meat phantom used Defense contribution Dependency RelationshipAttack contribution 13   Biometrics and PhysiologicalValues Out-of-Band Distance Bounding Software/Malware External Devices Anomaly Detection Future Work Telemetry Interface 2013 2003
  • 15. Research Challenges •  Access to Implantable Medical Devices –  Is much harder then getting other components •  Reproducibility –  Limited analysis of attacks and defenses –  Do not use meat-based human tissue simulators –  Do use a calibrated saline solution at 1.8 g/L at 21 ◦C •  The complete design is described in the ANSI/AAMI PC69:2007 standard [92,Annex G] 14  
  • 16. Security and Privacy Mechanisms •  Biometric and PhysiologicalValues –  Key generation and agreement •  Electrocardiogram (ECG) –  Heart activity signal •  Interpulse interval –  Time between heartbeats 15  
  • 17. H2H Authentication Protocol 16   [Rostami, CCS, 13] Cardiac Carl Nurse Alice measure ECG α measure ECG β send ECG measurement β send ECG measurement α TLS without certs
  • 18. H2H Authentication Protocol 17   [Rostami, CCS, 13] •  Adversarial Assumptions –  Active attacker with full network control –  The attacker cannot: •  Compromise the programmer •  Engage in a denial-of-service •  Remotely measure ECG to weaken authentication
  • 19. PhysiologicalValues as an Entropy Source •  How do ECG-based protocols work in practice? –  Age, Exertion, Noise •  ECG-based protocols rely on an analysis of ideal data in an unrealistic setting –  Data sample is close to their ideal distribution –  Very accurate estimate of distribution characteristics –  Extract randomness using the estimate on the same data sample •  Observability –  Using video processing techniques to extract ECG-signals 18   [Rostami, S&P, 2013] [Chang, HealthTech, 2012] [Poh, Biomedical Engineering, 11]
  • 20. 19   H2H: authentication using IPI Rostami et al. [45], CCS ’13 Attacks on OPFKA and IMDGuard Rostami et al. [19], DAC ’13 Using bowel sounds for audit Henry et al. [46], HealthTech ’13 OPFKA: key agreement based on overlapping PVs Hu et al. [47], INFOCOM ’13 Namaste: proximity- based attack against ECG Bagade et al. [23], BSN ’13 ASK-BAN: key gen and auth using wireless channel chars Shi et al. [48], WiSec ’13 FDA MAUDE and Recall database analysis Alemzadeh et al. [49], SP ’13 Attacks on friendly jamming techniques Tippenhauer et al. [50], SP ’13 MedMon: physical layer anomaly detection Zhang et al. [51], T-BCAS ’13 Ghost Talk: EMI signal injection on ICDs Foo Kune et al. [22] SP ’13 Key sharing via human body transmission Chang et al. [52], HealthSec ’12 Security and privacy analysis of MAUDE Database Kramer et al. [53], PLoS ONE ’12 BANA: authentication using received signal strength variation Shi et al. [54], WiSec ’12 Side-channel attacks on BCI Martinovic et al. [55], USENIX ’12 PSKA: PPG and ECG-based key agreement Venkatasubramanian et al. [56], T- ITB ’10 Wristband and password tattoos Denning et al. [39], CHI ’10 ECG used to determine proximity Jurik et al. [57], ICCCN ’11 ICD validation and verification Jiang et al. [58], ECRTS ’10 Shield: external proxy and jamming device Gollakota et al. [59] SIGCOMM ’11 BioSec extension for BANs (journal version) Venkatasubramanian et al. [60], TOSN ’10 Eavesdropping on acoustic authentication Halevi et al. [61], CCS ’10 Wireless attacks against insulin pumps Li et al. [18], HealthCom ’11 Authentication using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al. [1], HealthSec ’10 IMDGuard: ECG-based key management Xu et al. [62], INFOCOM ’11 Defending against resource depletion Hei et al. [63], GLOBECOM ’10 PPG-based key agreement Venkatasubramanian et al. [64], MILCOM ’08 Audible, tactile, and zero power key exchange Halperin et al. [12], SP ’08 Wireless attacks against ICDs Halperin et al. [12], SP ’08 Proximity- based access control using ultrasonic frequency Rasmussen et al. [65], CCS ’09 Security and privacy of neural devices Denning et al. [66], Neurosurg Focus ’09 Biometric requirements for key generation Ballard et al. [67], USENIX ’08 ECG-based key agreement Venkatasubramanian et al. [68], INFOCOM ’08 Cloaker: external proxy device Denning et al. [69], HotSec ’08 BioSec extension for BANs Venkatasubramanian and Gupta. [70], ICISIP ’06 BioSec: extracting keys from PVs Cherukuri et al. [71] ICPPW ’03 Authentication and secure key exchange using IPI Poon et al. [72], Commun. Mag ’06 Biometric and Physiological Values Distance BoundingWireless Attacks Software/Malware Anomaly DetectionOut-of-Band External Devices Emerging Threats Food-grade meat phantom used Defense contribution Dependency RelationshipAttack contribution Future Work
  • 21. Trusted Sensor Interface •  Current systems trust their analog sensor inputs •  This assumption may not always hold •  Forging signals using electromagnetic interference –  Inject cardiac waveform 20   [Foo Kune, S&P, 2013]
  • 22. Neurosecurity 21   •  Neurostimulators –  What are the new attack surfaces –  What are the implications of recording and transmitting brainwaves •  Brain computer interfaces •  Cognitive recognition could leak: –  Passwords, personal information [Martinovic, USENIX, 2012], [Denning, Neurosurg Focus, 09]
  • 23. Questions? •  IMDs are becoming more common –  Improving patient outcome •  Research gaps exists –  Software –  Sensor Interface •  Areas for future work include –  Physiological values as an Entropy Source –  Trusted Sensor Interface –  Neurosecurity •  See our paper for more details! 22