this ain t your dose sensor spoofing attack on medical
play

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion - PowerPoint PPT Presentation

Sep 01, 2023 •124 likes •469 views

This Aint Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs 2 System Security Laboratory, KAIST 10th USENIX Workshop on Offensive

  1. This Ain’t Your Dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs 2 System Security Laboratory, KAIST 10th USENIX Workshop on Offensive Technologies (WOOT '16) Aug.09.2016

  2. Sensor v Sensing changes in physical property and converting to electric signal v Gyroscope, Accelerometer, Radar, Sonar, Infrared sensor, etc. 2

  3. Sensing and Actuation System Real World Sensing Actuation System Sensor Actuator Crash Flight Radar Gyroscope avoidance control ADC Processor Converting Processing 3 ADC: Analog-to-Digital Converter

  4. Sensing and Actuation System Spoofing! Real World Sensing Actuation System Sensor Actuator Crash Flight Radar Gyroscope avoidance control No Authentication ADC Processor Converting Processing Vulnerable to sensor spoofing attack 4 ADC: Analog-to-Digital Converter

  5. Sensor Spoofing Attack v Manipulating sensors with a malicious signal v Previous works - Attacking Circuit using EMI: Injecting EMI into a wire of a defibrillator (S&P’13) - Canceling and injecting Active Sensor Signal: magnetic signal on ABS sensor (CHES’13) - Generating Resonance (DoS): Injecting sound noise into a gyroscope of a drone (SEC’15) EMI: Electromagnetic Interference ABS: Anti-lock Braking System 5

  6. This Work: Manipulating Sensing Values by Saturating Receiver 6

  7. Target: Medical Infusion Pump v Controlling infused volume of medicine to patients v Sometimes using a drop sensor for accuracy From drop sensor Medicine Display IV Tube Drop Output ~ Actuator IR IR (Peristaltic emitter receiver Fingers) Drip chamber IV Tube Control To infusion pump body panel To human’s body 7 Drop sensor Infusion Pump (body)

  8. Infusion Pump Operation Light 8

  9. Sensor Saturation v New type of sensor spoofing attack using saturation - Sensors have typical operating region - Output is saturated when exceeding a saturation point - Blinding sensors In case of the infusion pump 9

  10. Medical Infusion Pump v Two infusion pumps with drop sensors Infusion pump Drop sensor JSB-1200 (Pump1) BYS-820 (Pump2) 10

  11. Hardware Analysis v Pump1 (JSB-1200) LED Tube IR receiver IR emitter Peristaltic fingers IR Filter Infusion pump Drop sensor 11

  12. Hardware Analysis v Measuring signal with oscilloscope - Connector = 4 pins: VCC, GND, LED, and IN (signal) Connector (Device side) Normal drop Four pins (Sensor side) 12

  13. Simple Test (Saturation, w/o filter) 13

  14. Simple Test (Saturation, w/o filter) 14

  15. Hardware Analysis v Mainboard (2 MCUs) W78E516D (MCU2) Drop sensor port AT89S52 (MCU1) SPI Port Internal structure 15

  16. Hardware Analysis v Sensor output is inserted to MCU1 after ADC - 8-bit ADC (0 to 255) - Digital signal indicates voltage level of the drop sensor MCU1 8-bit ADC IN (sensor output) Output of ADC 16

  17. Firmware Extraction v Extracting firmware of MCU1 via SPI port - Reading Flash memory using USBISP and AVR Studio - Data section -> 8051 assembly -> IDA Pro USBISP Data section AT89S52 (MCU1) SPI Port AVR Studio 4 Intel HEX format 17

  18. Firmware Analysis v Finding sensor output in Timer interrupt function Put 8-bit sensor output to RAM 18

  19. Firmware Analysis 19

  20. Drop Detection Algorithm Sensing drop when voltage decreases by 𝟏.𝟒𝟑𝑾 Send command (0x11) through serial port, connected to MCU2 20

  21. Pump1 Structure 1. Drop sensor output enters into AT89S52 (MCU1) 2. MCU1 sends data to W78E516D (MCU2) via serial comm. 3. MCU2 actuates peripherals with this data Pins of MCU2 are directly connected to motor, display and alarm - 21

  22. Vulnerability v Drop sensor - Saturated with an external source Saturation - Cannot sense drops in saturation v Drop detection algorithm - Counting drops based on a relative change in voltage Fake drop - Making a voltage drop to sensor output 22

  23. Experimental Setting IR Laser (905nm, 30mW) Drop sensor Measuring Arduino cylinder Infusion pump 23

  24. Experiment v Performed on both infusion pumps (Pump1, Pump2) v Saturation (failed in Pump2) - Sensor is saturated when injecting IR laser to receiver - Drop sensor cannot sense real drops -> Over-infusion v Fake drops - Sensor is deceived by fake drops with external IR - Pump perceives that there are drops already -> Under-infusion v Both cases cause an alarm 24

  25. Spoofing Pattern v Over-infusion - Alarm: “ No drop is detected ” - Inject some period and compensate insufficient drops v Under-infusion - Alarm: “ Too many drops are detected ” - Find properly interval of fake drops experimentally v Example (60mL/h setting) - 1 drop per 3 seconds fake drop Real drop interval (3s) drop Normal operation Continuous saturation Alarm Over-infusion Under-infusion Fake drop interval 25 Saturation time (13s) 2s

  26. Demo (Over-infusion) 26

  27. Demo (Under-infusion) 27

  28. Spoofing Pattern v Over-infusion - Alarm: “ No drop is detected ” - Inject some period and compensate insufficient drops v Under-infusion - Alarm: “ Too many drops are detected ” - Find properly interval of fake drops experimentally fake drop Real drop interval drop Normal operation Continuous saturation Alarm Over-infusion Under-infusion Fake drop interval 28 Saturation time 2s

  29. Results v Controlling infused volume is possible - By adjusting saturation time or fake drops - Measured in 10 minutes and 5 times each (No alarm rings over 30 minutes) - Over-infusion fails on Pump2 29

  30. Discussion v Attack distance - Related to power of source - Possible in the range of 12m with 30mW IR laser v Mitigation Concept of PyCRA - Authentication between emitter and receiver • PyCRA (CCS ‘15) Sensor output Detect! • Generate random zero signal in an emitter Boundary check - Voltage level detection • Checking boundary of legitimate signal - Physical isolation Saturation Real drops (without spoofing) (by spoofing) Voltage level detection 30

  31. Discussion v Attack distance - Related to power of source - Possible in the range of 12m with 30mW IR laser v Mitigation - Authentication between emitter and receiver • PyCRA (CCS ‘15) • Generate random zero signal in an emitter - Voltage level detection • Checking boundary of legitimate signal - Physical isolation 31

  32. Conclusion v Presenting a new type of sensor spoofing attack - Deceiving a sensor by saturation v Analysis on medical infusion pumps - Finding vulnerability in drop detection algorithm v Controlling infused fluid from 65% to 330% v Note - Infusion pump was not communicating at all. - IR lay is invisible to human eyes. - FDA approved US devices? v Sensor security - Most sensors are exposed to receive signal - Must be considered for safety 32

  33. Thank You! E-mail: ys.park@navercorp.com

Recommend

This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok

This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok

This aint your dose: Sensor Spoofing Attack on Medical Infusion Pump Youngseok Park 1,2 , Yunmok Son 2 , Hocheol Shin 2 , Dohyun Kim 2 , and Yongdae Kim 2 1 NAVER Labs ys.park@navercorp.com 2 Korea Advanced Institute of Science and Technology

248 views • 11 slides
Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides
DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1,

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1,

DNS: the Kaminsky Blind Spoofing Attack CS 161: Computer Security Prof. David Wagner April 1, 2016 16 bits 16 bits DNS Blind Spoofing, cont. SRC=53 DST=53 checksum length Once we randomize the Identification Flags Identification,

768 views • 53 slides
Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T

RECHERCHE N O Y L E D S E E U Q I L P P A S E C N E I C S S E D L A N O Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T I T S N I C elestin Matte -

702 views • 20 slides
A Collusion Attack on Pairwise Key Presdistribution Schemes for Distributed Sensor Networks

A Collusion Attack on Pairwise Key Presdistribution Schemes for Distributed Sensor Networks

Introduction & background Key-swapping collusion attack Analysis Discussion & Conclusions A Collusion Attack on Pairwise Key Presdistribution Schemes for Distributed Sensor Networks Tyler W Moore University of Cambridge Computer

773 views • 19 slides
Dose distribution calculations in TPS photon beams Pawe Kukoowicz Medical l Physics De

Dose distribution calculations in TPS photon beams Pawe Kukoowicz Medical l Physics De

Dose distribution calculations in TPS photon beams Pawe Kukoowicz Medical l Physics De Department, War arsaw, Pola oland Delivered dose does matter! NORMAL TISSUE DOSE (Gy) 10 20 40 10 20 30 50 30 40 50 1,0 PROBABILITY OF

856 views • 46 slides
disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such

disclaimer: half-baked ideas IP spoofing is a well-known problem a key component of such DDoS attacks addressing spoofing attempts to eliminate spoofing, not adopted IETF BCPs 38-84, ISOC MANRS scrubbing centers (eg Akamai,

700 views • 19 slides
IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing

IP and ARP Security, Earlence Fernandes UW Madison CS 642 1 Todays agenda IP Spoofing Denial of Service attack (DoS) Distributed DoS (DoS) Source address validation Link layer security Address resolution protocol (ARP)

1.72k views • 35 slides
A Low-dose, Accurate Medical A Low-dose, Accurate Medical Imaging Method for Proton Therapy:

A Low-dose, Accurate Medical A Low-dose, Accurate Medical Imaging Method for Proton Therapy:

A Low-dose, Accurate Medical A Low-dose, Accurate Medical Imaging Method for Proton Therapy: Imaging Method for Proton Therapy: Proton Computed Tomography Proton Computed Tomography Bela Erdelyi Department of Physics, Northern I llinois

479 views • 29 slides
Comparison of different threshold values for a wavelet designed attack sensor C. Cappo 1 C.

Comparison of different threshold values for a wavelet designed attack sensor C. Cappo 1 C.

Comparison of different threshold values for a wavelet designed attack sensor C. Cappo 1 C. Schaerer 1 A. Kozakevicius 2 R. Ceretta 2 B. Mozaquattro 2 1 Polytechnic School, National University of Asuncin, Paraguay 2 Technology Center Federal

809 views • 47 slides
Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks Thanassis Giannetsos and Tassos Dimitriou Athens Information Technology Algorithms & Security (agia@ait.edu.gr) Black Hat Spain, 2010 Barcelona

700 views • 46 slides
Former Worker Medical S creening Program Development of Low Dose CT S can S creening Proj

Former Worker Medical S creening Program Development of Low Dose CT S can S creening Proj

Former Worker Medical S creening Program Development of Low Dose CT S can S creening Proj ect Nicole Richardson UI College of Public Health Dr. Laurence Fuortes Outline Background of the Former Worker Medical Screening Program

391 views • 28 slides
Medical Physicists Medical Physicists Responsibilities Responsibilities Evaluation and

Medical Physicists Medical Physicists Responsibilities Responsibilities Evaluation and

Joel E. Gray, Ph.D. Medical Physicists Medical Physicists Responsibilities Responsibilities Evaluation and Consulting on Evaluation and Consulting on Patient Dose in Diagnostic Imaging Patient Dose in Diagnostic Imaging Provide dose

389 views • 17 slides
Integrating Medical Sensor Systems into Electronic Medical Records: The ITALH Project and Testbed

Integrating Medical Sensor Systems into Electronic Medical Records: The ITALH Project and Testbed

Integrating Medical Sensor Systems into Electronic Medical Records: The ITALH Project and Testbed Ruzena Bajcsy, Shankar Sastry, Mike Eklund Tanya Roosta, Marci Meingast, Edgar Lobotan Adeeti Ullal, Rustom Dessai, Willy Cheung, Albert Chang

498 views • 15 slides
vil : Dri Drift ft with th De Devi Security of Multi-Sensor Fusion based Localization in

vil : Dri Drift ft with th De Devi Security of Multi-Sensor Fusion based Localization in

vil : Dri Drift ft with th De Devi Security of Multi-Sensor Fusion based Localization in High-Level Autonomous Driving under GPS Spoofing Junjie Shen , Jun Yeon Won, Zeyuan Chen, Qi Alfred Chen ASGuard A utonomous S ystem Gu Guard

394 views • 20 slides
Low-dose CT Enhancement Network with a Perceptual Loss Function in the Spatial Frequency and Image

Low-dose CT Enhancement Network with a Perceptual Loss Function in the Spatial Frequency and Image

Low-dose CT Enhancement Network with a Perceptual Loss Function in the Spatial Frequency and Image Domains Medical Imaging with Deep Learning 2020 Kevin J. Chung, 1,2 Roberto Souza, 3,4 Richard Frayne, 3,4 Ting-Yim Lee 1,2 1 Department of Medical

227 views • 5 slides
Phase I dose-escalation trials with more than one dosing regimen Burak Krad Gnhan 1

Phase I dose-escalation trials with more than one dosing regimen Burak Krad Gnhan 1

Phase I dose-escalation trials with more than one dosing regimen Burak Krad Gnhan 1 Sebastian Weber 2 Abdelkader Seroutou 2 Tim Friede 1 IBS-DR, Gttingen, 7 December, 2018 1 Department of Medical Statistics, University Medical Center

627 views • 52 slides
From Monolith to Microservices Tony Maher Dose Media www.dose.com www.omgfacts.com

From Monolith to Microservices Tony Maher Dose Media www.dose.com www.omgfacts.com

From Monolith to Microservices Tony Maher Dose Media www.dose.com www.omgfacts.com Tony Maher, Team Lead tony@dose.com, @tonymaher5 Dose Media Large scale websites - 55 million monthly uniques. Uptime is paramount.

681 views • 34 slides
Concentration- Tine Products (CTFS) of methyl bromide Table 1. obtained at Mill X and Mill B. CTPs

Concentration- Tine Products (CTFS) of methyl bromide Table 1. obtained at Mill X and Mill B. CTPs

I'-BB USE OF X SENSOR-=TED DOSING SYSTBZ4 TO REDUCE TBB DOSE OP .KETHY?L BROMIDE Chakrabarti, T.J. Wontner-Smith 3. A new micro-processor controlled sensor related dosing system (Fig. 1) to fumigate flour mills with methyl bromide against insect

547 views • 3 slides
relationships at low dose IR Dik C. van Gent, Erasmus MC Modeling of the dose-response curve

relationships at low dose IR Dik C. van Gent, Erasmus MC Modeling of the dose-response curve

Linear and non-linear dose-effect relationships at low dose IR Dik C. van Gent, Erasmus MC Modeling of the dose-response curve LNT, threshold, hypersensitive, hormesis? What can we measure at low dose? - DNA repair (linear 10-1000 mGy) -

174 views • 16 slides
Automated dose control in multi-slice CT Nicholas Keat Formerly ImPACT, St George's Hospital,

Automated dose control in multi-slice CT Nicholas Keat Formerly ImPACT, St George's Hospital,

Automated dose control in multi-slice CT Nicholas Keat Formerly ImPACT, St George's Hospital, London UKRC 2006 Introduction to presentation CT contributes ~50+ % of all medical radiation dose Ideally all patients would receive just

640 views • 30 slides
A Tutorial on Radiation Dose and Dose Rate Kurt Sickafus Dose = Absorbed Energy Density

A Tutorial on Radiation Dose and Dose Rate Kurt Sickafus Dose = Absorbed Energy Density

A Tutorial on Radiation Dose and Dose Rate Kurt Sickafus Dose = Absorbed Energy Density Absorbed energy normalized by weight, volume, atoms, etc. 1 Gy = 1 J kg SI units 2 Water: heat to boiling point J H 2 O = 4.1813 c p g K (@

724 views • 61 slides
Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and

Gen Gener eral In Inter eres ests: Secure Proximity / Distance Measurement GPS Spoofing and Spoofing Detec:on Usable Authen:ca:on (2FA) Security of Blockchains / Cryptocurrencies Trusted Compu:ng Secure Proximi mity / Distance Measureme

589 views • 30 slides
Multi-objective dose-finding Thomas Jaki Medical and Pharmaceutical Statistics Research Unit,

Multi-objective dose-finding Thomas Jaki Medical and Pharmaceutical Statistics Research Unit,

Multi-objective dose-finding Thomas Jaki Medical and Pharmaceutical Statistics Research Unit, Department of Mathematics and Statistics, Lancaster University, UK December 7, 2018 Acknowledgement: This project has received funding from the

999 views • 76 slides

More recommend