SoK: Security and Privacy in Implantable Medical Devices Michael Rushanan 1 , Denis Foo Kune 2 , Colleen M. Swanson 2 , Aviel D. Rubin 1 1. Johns Hopkins University 2. University of Michigan 0 This work was supported by STARnet, the Dept. of HHS under award number 90TR0003-01, and the NSF under award number CNS1329737, 1330142.
What is an Implantable Medical Device? • The FDA strictly defines a medical device Neuro- Cochlear stimulator implant • Device Cardiac – Embedded system that can ������������ sense and actuate Gastric Simulator Insulin Pump • Implantable – Surgically placed inside of a patient’s body • Medical – Provides diagnosis and therapy for numerous health conditions 1
Implantable Medical Devices are not your typical PCs 2
Implantable Medical Devices are not your typical PCs 3
Implantable Medical Devices are not your typical PCs • There exists resource limitations – The battery limits computation and is not rechargeable • There are safety and utility concerns – The IMD must be beneficial to the patient and elevate patient safety above all else – Security and privacy mechanisms must not adversely affect the patient or therapy • Lack of security mechanisms may have severe consequences • IMD’s provide safety-critical operation – Must fail-open in the context of an emergency 4
Research Questions • How do we provide security and privacy mechanisms that adequately consider safety and utility? • When do we use traditional security and privacy mechanisms or invent new protocols? • How do we formally evaluate security and privacy mechanisms? • Novel attack surfaces 5
A Healthcare Story Alice Cardiac Carl Nurse Patient 6
Cardiac Carl’s Condition • Atrial Fibrillation Cardiac Carl • Implantable Cardioverter Atrial Fib. Defibrillator • His ICD is safety-critical 7
Alice and Carl’s Relationship Where are the security and privacy mechanisms ? visits Nurse Cardiac accesses ICD w/ programmer Alice Carl receives private data adjusts therapy 8
Alice and Carl’s Relationship Mallory Hacker Elite 9
Alice Mallory and Carl’s Relationship Mallory eavesdrop modify forge jam Cardiac Nurse Carl Alice wireless communication [Halperin, S&P , 08], [Li, HealthCom, 11] 10
Attack Surfaces Telemetry Interface Cardiac Carl Software Hardware/Sensor Interface 11
Security and Privacy Mechanisms • Security and Privacy mechanisms exist in standards – Medical Implant Communication Services – Wireless Medical Telemetry Service • These mechanisms are optional • Interoperability might take priority of security [Foo Kune, MedCOMM, 12] 12
2013 H2H: Attacks on Using bowel authentication OPFKA and sounds for audit using IPI IMDGuard Rostami et al. [45], Rostami et al. [19], Henry et al. [46], CCS ’13 DAC ’13 HealthTech ’13 OPFKA: key Namaste: ASK-BAN: key FDA MAUDE Attacks on MedMon: Ghost Talk: agreement proximity- gen and auth and Recall friendly physical layer EMI signal based on based attack database jamming anomaly injection using wireless overlapping against ECG analysis detection channel chars techniques on ICDs PVs Hu et al. [47], Bagade et al. [23], Shi et al. [48], Alemzadeh et al. Tippenhauer et al. Zhang et al. [51], Foo Kune et al. [22] INFOCOM ’13 BSN ’13 WiSec ’13 [49], SP ’13 [50], SP ’13 T-BCAS ’13 SP ’13 Key sharing via Security and human body privacy analysis transmission of MAUDE Database Chang et al. [52], Kramer et al. [53], HealthSec ’12 PLoS ONE ’12 BANA: Side-channel authentication attacks on BCI using received signal strength variation Shi et al. [54], Martinovic et al. WiSec ’12 [55], USENIX ’12 PSKA: PPG Wristband ECG used ICD validation Shield: external and ECG-based and password to determine and verification proxy and key agreement tattoos proximity jamming device Venkatasubramanian Denning et al. [39], Jurik et al. [57], Jiang et al. [58], Gollakota et al. [59] et al. [56], T- Biometrics and Physiological CHI ’10 Anomaly Detection Telemetry Interface Distance Bounding Software/Malware External Devices Future Work Out-of-Band ICCCN ’11 ECRTS ’10 Values SIGCOMM ’11 ITB ’10 BioSec Eavesdropping Wireless Authentication Software IMDGuard: Defending extension on acoustic attacks against using body security ECG-based key against for BANs authentication insulin pumps coupled analysis of management resource (journal version) communication external depletion defibrillator Venkatasubramanian Halevi et al. [61], Li et al. [18], Li et al. [18], Hanna et al. [1], Xu et al. [62], Hei et al. [63], et al. [60], CCS ’10 HealthCom ’11 HealthCom ’11 HealthSec ’10 INFOCOM ’11 GLOBECOM ’10 TOSN ’10 PPG-based Audible, tactile, Wireless Proximity- Security and key agreement and zero power attacks based access privacy of against ICDs key exchange control using neural devices ultrasonic frequency Venkatasubramanian Halperin et al. [12], Halperin et al. [12], Rasmussen et al. Denning et al. [66], et al. [64], SP ’08 SP ’08 [65], CCS ’09 Neurosurg MILCOM ’08 Focus ’09 Biometric ECG-based Cloaker: requirements key agreement external for key proxy device generation Ballard et al. [67], Venkatasubramanian Denning et al. [69], USENIX ’08 et al. [68], HotSec ’08 INFOCOM ’08 BioSec extension for BANs Venkatasubramanian and Gupta. [70], ICISIP ’06 BioSec: Authentication extracting and secure keys from PVs key exchange using IPI 2003 Cherukuri Poon et al. [72], et al. [71] Commun. Mag ’06 ICPPW ’03 13
Research Challenges • Access to Implantable Medical Devices – Is much harder then getting other components • Reproducibility – Limited analysis of attacks and defenses – Do not use meat-based human tissue simulators – Do use a calibrated saline solution at 1.8 g/L at 21 ◦ C • The complete design is described in the ANSI/AAMI PC69:2007 standard [92, Annex G] 14
Security and Privacy Mechanisms • Biometric and Physiological Values – Key generation and agreement • Electrocardiogram (ECG) – Heart activity signal • Interpulse interval – Time between heartbeats 15
H2H Authentication Protocol TLS without certs Cardiac Nurse measure ECG α Carl Alice measure ECG β send ECG measurement β send ECG measurement α [Rostami, CCS, 13] 16
H2H Authentication Protocol • Adversarial Assumptions – Active attacker with full network control – The attacker cannot: • Compromise the programmer • Engage in a denial-of-service • Remotely measure ECG to weaken authentication [Rostami, CCS, 13] 17
Physiological Values as an Entropy Source • How do ECG-based protocols work in practice? – Age, Exertion, Noise [Rostami, S&P , 2013] [Chang, HealthTech, 2012] • ECG-based protocols rely on an analysis of ideal data in an unrealistic setting – Data sample is close to their ideal distribution – Very accurate estimate of distribution characteristics – Extract randomness using the estimate on the same data sample • Observability – Using video processing techniques to extract ECG-signals [Poh, Biomedical Engineering, 11] 18
Recommend
More recommend