killed by code 2015
TRANSCRIPT
![Page 1: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/1.jpg)
KILLED BY CODEMob Sec Mobile Security Conference 4/11/2010 Herzliya
Danny Lieberman – Software Associates.v6
![Page 2: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/2.jpg)
Agenda
Mobile medical is hot Applications Threat scenarios A threat model framework for secure
code Summary
![Page 3: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/3.jpg)
Mobile medical devices are hotMobile consumer electronics creates potential for life-saving applications that are cheaper and more accessible than any other alternative.
Social benefit comes at the price of cyber threats.
In this talk we present a systematic method of analysing cyber threats in mobile medical devices.
Applications
Threat scenarios
Countermeasures
![Page 4: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/4.jpg)
MOBILE MEDICAL APPLICATIONS
![Page 5: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/5.jpg)
Data trackingWho: Patients, care-givers, doctorsWhat: Data acquisitionWhy: Controlling symptoms of chronic illness requires tracking data over long periods of time.• Glucose• Heart rate• Blood pressure• Dosage (insulin, dopamine …)• ...Platforms : Smart-phones, data & location-based services.
Diabetes
Parkinson/MSAAlzheimer
Asthma
![Page 6: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/6.jpg)
Life-sustainingWho: PatientsWhat: Implanted devices for cardiac pacing, defibrillation, drug delivery…Why: Sustain lifePlatforms : Embedded devices with mobile connectivity for remote monitoring & programming.
Chronic heart disease
Epilepsy
Diabetes
Depression“…the latest technology in a full complement of patient-focused CRM products”
![Page 7: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/7.jpg)
THREAT SCENARIOS
![Page 8: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/8.jpg)
Threat scenario templateAn attacker may exploit vulnerabilities to cause damage to assets.
Security countermeasures mitigate vulnerabilities and reduce risk.
Asset
Vulnerability
Attacker
![Page 9: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/9.jpg)
Radio attack scenario
Patient with ICD
Clear text
protocol
Threat T1 – A malicious attacker may exploit a clear text protocol and instruct an ICD to deliver a shock that would cause sudden cardiac death.
Vulnerability V1 – Clear text communications protocol
Countermeasure C1 – Encrypt network link Countermeasure C2 – Validate messages using secure tokens.
Attacker
![Page 10: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/10.jpg)
Implantable Cardioverter DefibrillatorsIn 2008, approximately 350,000 pacemakers and 140,000 ICDs were implanted in the US.
Forecasted to $48BN in 2014.
Proof of concept attack:• Reverse-engineered
commands• Intercepted vital signs, history• Reprogrammed therapy
settings• DoS to deplete battery• Directed the ICD to deliver
137V shocks that would induce ventricular fibrillation in a patient.
2008 ICD vulnerability study
![Page 11: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/11.jpg)
Device defect attack scenario
Patient
LifeSoftwar
e defects
Device malfunctio
n
Threat T2 – An internal short circuit is undetected by the device control software and may be fatal.Vulnerability V2 – Software doesn’t monitor hardware malfunctions
Countermeasure C3 – Notify customer service when hardware issue identified.Countermeasure C4 – Implement fail-safe function
![Page 12: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/12.jpg)
FDA device recallsThe FDA issued 23 recalls of defective devices in H1/2010.
All were “Class 1” :
“reasonable probability that use of these products will cause serious adverse health consequences or death.”
At least 6 recalls were probably caused by software defects.
![Page 13: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/13.jpg)
Malicious code attack scenario
ePHI
Weak or well-known
passwords
Software defects
OS vulnerabiliti
es
Malware
Threat T3 – Malicious code may be used in order to exploit multiple vulnerabilities and obtain patient informationVulnerability V3 – USB, and/or Internet access enabled
Countermeasure C4 – Hardware toggle USBCountermeasure C5 – Network isolation
Countermeasure C6 – Software security assessment
![Page 14: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/14.jpg)
Mobile clinical assistantsMobile imaging analysis devices used by hospital radiologists had unplanned Internet access. Over 300 devices infected by Conficker and taken out of service.
Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.
![Page 15: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/15.jpg)
Where is the FDA?Guidance documents from 2015 extend FDA regulatory oversight –
1. Mobile apps that are medical devices, draft 2/2015
2. Cyber security for networked devices, final 10/2014
However - If a device has FDA pre-market approval, consumers cannot sue the manufacturer for injuries and disability incurred because of the device.
“Riegel v. Medtronic “, 2008
![Page 16: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/16.jpg)
A threat model security framework
![Page 17: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/17.jpg)
Objectives
Assess product risk Understand what
threats count Prioritize
countermeasures. Drive profits
Premarket approval.Cyber security asset and threat framework.
![Page 18: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/18.jpg)
Assess product risk
![Page 19: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/19.jpg)
Understand what threats count
![Page 20: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/20.jpg)
Prioritize countermeasuresProduct management has 1 dollar in their pocket:
Countermeasure C1 – Encrypt network link to ICD
Countermeasure C21 – Validate POST requests with secure tokens.
Countermeasure C3 – Wearable “cloaker” to ensure that only authorized programmers can interact with the device.
![Page 21: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/21.jpg)
Drive profits
Transparency means more eyeballs can look at issues.
More eyeballs reduces cost.
More eyeballs means safer devices.
Safer devices means more revenue.
Medical device threat models are transparent.
![Page 22: Killed by code 2015](https://reader035.vdocuments.mx/reader035/viewer/2022062903/58ed49e41a28ab251f8b459f/html5/thumbnails/22.jpg)
Sources Riegel v. Medtronic, Inc.
http://www.law.cornell.edu/supct/html/06-179.ZS.html Pacemakers and implantable cardiac defibrillators: Software
radio attacks and zero-power defenses.Daniel Halperin et al. Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, May 2008.http://www.secure-medicine.org/icd-study/icd-study.pdf
Software transparency in imbedded medical deviceshttp://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html
Prof. Nir Giladi, Tel Aviv Souraski Hospital Neurology Department, personal communication on data tracking for MSA patients
Biotronik – cellular pacemaker, http://www.biotronik.com/en/us/19412