sok:security and privacy - michael rushanan · using body coupled communication li et al. [18],...
TRANSCRIPT
![Page 1: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/1.jpg)
SoK:Security and Privacy in Implantable Medical Devices
Michael Rushanan1, Denis Foo Kune2, Colleen M. Swanson2, Aviel D. Rubin1
1. Johns Hopkins University
2. University of Michigan
0This work was supported by STARnet, the Dept. of HHS under award number 90TR0003-01, and the NSF under award number CNS1329737, 1330142.
![Page 2: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/2.jpg)
What is an Implantable Medical Device?
• The FDA strictly defines a medical device
• Device – Embedded system that can
sense and actuate
• Implantable – Surgically placed inside of a
patient’s body
• Medical – Provides diagnosis and therapy
for numerous health conditions
1
Neuro-stimulator Cochlear
implant
Cardiac +LÄIYPSSH[VY
Insulin Pump
Gastric Simulator
Various IMDs Trigger Magnetic Switch
Programmer
Program
Send telemetry
Send commands
Mag
netic
Fie
ld
![Page 3: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/3.jpg)
2
Implantable Medical Devices are not your typical PCs
![Page 4: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/4.jpg)
Implantable Medical Devices are not your typical PCs
3
![Page 5: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/5.jpg)
Implantable Medical Devices are not your typical PCs
4
• There exists resource limitations– The battery limits computation and is not
rechargeable
• There are safety and utility concerns– The IMD must be beneficial to the patient and elevate
patient safety above all else– Security and privacy mechanisms must not adversely
affect the patient or therapy
• Lack of security mechanisms may have severeconsequences
• IMD’s provide safety-critical operation– Must fail-open in the context of an emergency
![Page 6: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/6.jpg)
Research Questions
• How do we provide security and privacy mechanisms that adequately consider safety and utility?
• When do we use traditional security and privacy mechanisms or invent new protocols?
• How do we formally evaluate security and privacy mechanisms?
• Novel attack surfaces
5
![Page 7: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/7.jpg)
A Healthcare Story
6
Alice Cardiac CarlNurse Patient
![Page 8: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/8.jpg)
Cardiac Carl’s Condition
7
• Atrial Fibrillation
• Implantable CardioverterDefibrillator
• His ICD is safety-critical
Cardiac CarlAtrial Fib.
![Page 9: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/9.jpg)
Alice and Carl’s Relationship
8
visits
accesses ICD w/ programmer
receives private data
adjusts therapy
Where are the security and privacy mechanisms?
CardiacCarl
NurseAlice
![Page 10: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/10.jpg)
Alice and Carl’s Relationship
9
MalloryHacker Elite
![Page 11: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/11.jpg)
Alice Mallory and Carl’s Relationship
10
CardiacCarl
NurseAlice
Mallory
wireless communication
[Halperin, S&P, 08], [Li, HealthCom, 11]
eave
sdro
p
forg
e
mod
ify jam
![Page 12: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/12.jpg)
Attack Surfaces
11
CardiacCarl
Telemetry Interface
Software
Hardware/Sensor Interface
![Page 13: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/13.jpg)
Security and Privacy Mechanisms
12
• Security and Privacy mechanisms exist in standards– Medical Implant Communication Services– Wireless Medical Telemetry Service
• These mechanisms are optional
• Interoperability might take priority of security
[Foo Kune, MedCOMM, 12]
![Page 14: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/14.jpg)
H2H:authentication
using IPI
Rostami et al. [45],CCS ’13
Attacks onOPFKA andIMDGuard
Rostami et al. [19],DAC ’13
Using bowelsounds for audit
Henry et al. [46],HealthTech ’13
OPFKA: keyagreementbased on
overlappingPVs
Hu et al. [47],INFOCOM ’13
Namaste:proximity-
based attackagainst ECG
Bagade et al. [23],BSN ’13
ASK-BAN: keygen and authusing wirelesschannel chars
Shi et al. [48],WiSec ’13
FDA MAUDEand Recalldatabaseanalysis
Alemzadeh et al.[49], SP ’13
Attacks onfriendlyjamming
techniques
Tippenhauer et al.[50], SP ’13
MedMon:physical layer
anomalydetection
Zhang et al. [51],T-BCAS ’13
Ghost Talk:EMI signal
injectionon ICDs
Foo Kune et al. [22]SP ’13
Key sharing viahuman bodytransmission
Chang et al. [52],HealthSec ’12
Security andprivacy analysis
of MAUDEDatabase
Kramer et al. [53],PLoS ONE ’12
BANA:authenticationusing receivedsignal strength
variationShi et al. [54],
WiSec ’12
Side-channelattacks on BCI
Martinovic et al.[55], USENIX ’12
PSKA: PPGand ECG-basedkey agreement
Venkatasubramanianet al. [56], T-
ITB ’10
Wristbandand password
tattoos
Denning et al. [39],CHI ’10
ECG usedto determine
proximity
Jurik et al. [57],ICCCN ’11
ICD validationand verification
Jiang et al. [58],ECRTS ’10
Shield: externalproxy and
jamming device
Gollakota et al. [59]SIGCOMM ’11
BioSecextensionfor BANs
(journal version)
Venkatasubramanianet al. [60],TOSN ’10
Eavesdroppingon acoustic
authentication
Halevi et al. [61],CCS ’10
Wirelessattacks againstinsulin pumps
Li et al. [18],HealthCom ’11
Authenticationusing body
coupledcommunication
Li et al. [18],HealthCom ’11
Softwaresecurity
analysis ofexternal
defibrillatorHanna et al. [1],HealthSec ’10
IMDGuard:ECG-based key
management
Xu et al. [62],INFOCOM ’11
Defendingagainst
resourcedepletion
Hei et al. [63],GLOBECOM ’10
PPG-basedkey agreement
Venkatasubramanianet al. [64],
MILCOM ’08
Audible, tactile,and zero powerkey exchange
Halperin et al. [12],SP ’08
Wirelessattacks
against ICDs
Halperin et al. [12],SP ’08
Proximity-based accesscontrol using
ultrasonicfrequency
Rasmussen et al.[65], CCS ’09
Security andprivacy of
neural devices
Denning et al. [66],NeurosurgFocus ’09
Biometricrequirements
for keygeneration
Ballard et al. [67],USENIX ’08
ECG-basedkey agreement
Venkatasubramanianet al. [68],
INFOCOM ’08
Cloaker:external
proxy device
Denning et al. [69],HotSec ’08
BioSecextensionfor BANs
Venkatasubramanianand Gupta. [70],
ICISIP ’06
BioSec:extracting
keys from PVs
Cherukuriet al. [71]
ICPPW ’03
Authenticationand secure
key exchangeusing IPI
Poon et al. [72],Commun. Mag ’06
Biometric and Physiological Values Distance Bounding Wireless Attacks Software/Malware Anomaly DetectionOut-of-Band External Devices Emerging Threats
Food-grade meat phantom used Defense contribution Dependency RelationshipAttack contribution
Figure 3. Trends in Security and Privacy Research on IMDs/BANs.
13
Biometrics and Physiological ValuesOut-of-BandDistance BoundingSoftware/MalwareExternal DevicesAnomaly DetectionFuture WorkTelemetry Interface
2013
2003
![Page 15: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/15.jpg)
Research Challenges
• Access to Implantable Medical Devices– Is much harder then getting other components
• Reproducibility– Limited analysis of attacks and defenses– Do not use meat-based human tissue simulators– Do use a calibrated saline solution at 1.8 g/L at 21 ◦C
• The complete design is described in the ANSI/AAMI PC69:2007 standard [92, Annex G]
14
![Page 16: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/16.jpg)
Security and Privacy Mechanisms
• Biometric and Physiological Values– Key generation and agreement
• Electrocardiogram (ECG)– Heart activity signal
• Interpulse interval– Time between heartbeats
15
![Page 17: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/17.jpg)
H2H Authentication Protocol
16[Rostami, CCS, 13]
CardiacCarl
NurseAlice
measure ECG α
measure ECG β
send ECG measurement β
send ECG measurement α
TLS without certs
![Page 18: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/18.jpg)
H2H Authentication Protocol
17[Rostami, CCS, 13]
• Adversarial Assumptions– Active attacker with full network control– The attacker cannot:
• Compromise the programmer• Engage in a denial-of-service• Remotely measure ECG to weaken authentication
![Page 19: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/19.jpg)
Physiological Values as an Entropy Source
• How do ECG-based protocols work in practice?– Age, Exertion, Noise
• ECG-based protocols rely on an analysis of ideal data in an unrealistic setting– Data sample is close to their ideal distribution– Very accurate estimate of distribution characteristics– Extract randomness using the estimate on the same data sample
• Observability– Using video processing techniques to extract ECG-signals
18
[Rostami, S&P, 2013] [Chang, HealthTech, 2012]
[Poh, Biomedical Engineering, 11]
![Page 20: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/20.jpg)
19
H2H:authentication
using IPI
Rostami et al. [45],CCS ’13
Attacks onOPFKA andIMDGuard
Rostami et al. [19],DAC ’13
Using bowelsounds for audit
Henry et al. [46],HealthTech ’13
OPFKA: keyagreementbased on
overlappingPVs
Hu et al. [47],INFOCOM ’13
Namaste:proximity-
based attackagainst ECG
Bagade et al. [23],BSN ’13
ASK-BAN: keygen and authusing wirelesschannel chars
Shi et al. [48],WiSec ’13
FDA MAUDEand Recalldatabaseanalysis
Alemzadeh et al.[49], SP ’13
Attacks onfriendlyjamming
techniques
Tippenhauer et al.[50], SP ’13
MedMon:physical layer
anomalydetection
Zhang et al. [51],T-BCAS ’13
Ghost Talk:EMI signal
injectionon ICDs
Foo Kune et al. [22]SP ’13
Key sharing viahuman bodytransmission
Chang et al. [52],HealthSec ’12
Security andprivacy analysis
of MAUDEDatabase
Kramer et al. [53],PLoS ONE ’12
BANA:authenticationusing receivedsignal strength
variationShi et al. [54],
WiSec ’12
Side-channelattacks on BCI
Martinovic et al.[55], USENIX ’12
PSKA: PPGand ECG-basedkey agreement
Venkatasubramanianet al. [56], T-
ITB ’10
Wristbandand password
tattoos
Denning et al. [39],CHI ’10
ECG usedto determine
proximity
Jurik et al. [57],ICCCN ’11
ICD validationand verification
Jiang et al. [58],ECRTS ’10
Shield: externalproxy and
jamming device
Gollakota et al. [59]SIGCOMM ’11
BioSecextensionfor BANs
(journal version)
Venkatasubramanianet al. [60],TOSN ’10
Eavesdroppingon acoustic
authentication
Halevi et al. [61],CCS ’10
Wirelessattacks againstinsulin pumps
Li et al. [18],HealthCom ’11
Authenticationusing body
coupledcommunication
Li et al. [18],HealthCom ’11
Softwaresecurity
analysis ofexternal
defibrillatorHanna et al. [1],HealthSec ’10
IMDGuard:ECG-based key
management
Xu et al. [62],INFOCOM ’11
Defendingagainst
resourcedepletion
Hei et al. [63],GLOBECOM ’10
PPG-basedkey agreement
Venkatasubramanianet al. [64],
MILCOM ’08
Audible, tactile,and zero powerkey exchange
Halperin et al. [12],SP ’08
Wirelessattacks
against ICDs
Halperin et al. [12],SP ’08
Proximity-based accesscontrol using
ultrasonicfrequency
Rasmussen et al.[65], CCS ’09
Security andprivacy of
neural devices
Denning et al. [66],NeurosurgFocus ’09
Biometricrequirements
for keygeneration
Ballard et al. [67],USENIX ’08
ECG-basedkey agreement
Venkatasubramanianet al. [68],
INFOCOM ’08
Cloaker:external
proxy device
Denning et al. [69],HotSec ’08
BioSecextensionfor BANs
Venkatasubramanianand Gupta. [70],
ICISIP ’06
BioSec:extracting
keys from PVs
Cherukuriet al. [71]
ICPPW ’03
Authenticationand secure
key exchangeusing IPI
Poon et al. [72],Commun. Mag ’06
Biometric and Physiological Values Distance Bounding Wireless Attacks Software/Malware Anomaly DetectionOut-of-Band External Devices Emerging Threats
Food-grade meat phantom used Defense contribution Dependency RelationshipAttack contribution
Figure 3. Trends in Security and Privacy Research on IMDs/BANs.
Future Work
![Page 21: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/21.jpg)
Trusted Sensor Interface
• Current systems trust their analog sensor inputs
• This assumption may not always hold
• Forging signals using electromagnetic interference– Inject cardiac waveform
20
[Foo Kune, S&P, 2013]
![Page 22: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/22.jpg)
Neurosecurity
21
• Neurostimulators– What are the new attack surfaces– What are the implications of recording and transmitting
brainwaves
• Brain computer interfaces
• Cognitive recognition could leak:– Passwords, personal information
[Martinovic, USENIX, 2012], [Denning, Neurosurg Focus, 09]
![Page 23: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/23.jpg)
Questions?• IMDs are becoming more common
– Improving patient outcome
• Research gaps exists– Software– Sensor Interface
• Areas for future work include– Physiological values as an Entropy Source– Trusted Sensor Interface– Neurosecurity
• See our paper for more details!
22
![Page 24: SoK:Security and Privacy - Michael Rushanan · using body coupled communication Li et al. [18], HealthCom ’11 Software security analysis of external defibrillator Hanna et al](https://reader035.vdocuments.mx/reader035/viewer/2022070921/5fba27a980ba666f87041617/html5/thumbnails/24.jpg)
This is Not Just an EngineeringProblem
23
[Halperin, S&P, 08]