absence makes the heart grow fonder - school of...

New Directions for Implantable Medical Device Security

Absence Makes the Heart Grow Fonder:

Tamara Denning1, Tadayoshi Kohno1, Kevin Fu2

1University of Washington 2University of Massachusetts at Amherst

http://www.secure-medicine.org

Balancing Safety and Security

Implantable Medical Devices (IMDs)

Tamara Denning, University of Washington,

HotSec 2008

Pacemakers, Implantable Cardioverter Defibrillators (ICDs),

Drug Pumps, Neurostimulators

Life-Supporting/Quality of Life

Devices Have Wireless Capabilities

7/29/20082

Wireless ICD Attacks


HotSec 2008

Obtain serial number, patient name, diagnosis

Turn off therapies

Induce cardiac fibrillation

7/29/20083

Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power

defenses [Halperin], Oakland „08

Why Security? Malicious Attacks


HotSec 2008 7/29/20084

Malicious Computer-Based Attacks


HotSec 2008 7/29/20085

Current Security

IMD does not keep list of authorized programmers

How about keeping a list and only allowing authorized

programmers?

7/29/2008Tamara Denning, University of Washington,

HotSec 20086

CLOSED ACCESS OPEN ACCESS

Goals of IMD Security


HotSec 20087

Y

YN

Tensions of IMD Security


HotSec 2008

Safety in the Common Case

Timely access anywhere, anytime

Security in the Adversarial Case

Protect from unauthorized access

7/29/20088



Insufficient Approaches


HotSec 2008

Case-by-Case Access Credentials

User Alert

Require Close Proximity

7/29/20089




HotSec 2008


User Alert


7/29/200810




HotSec 2008


User Alert


7/29/200811

What about encryption with a

carried passkey?


HotSec 200812

Y

YN

What about encryption with a

carried passkey?


HotSec 200813

Y

YN

N

New Approach


HotSec 200814

What if we REMOVE something to gain

access?

Communication Cloaker

How it works


HotSec 200815

NY

Y


Communication Cloaker


HotSec 2008

Present

Allows Pre-Approved Programmers (common case)

Blocks Unauthorized Programmers (adversarial case)

Absent

Fails open…Allows All Programmers!

7/29/200816

Assumptions


HotSec 2008

IMD Power is Limited – Use Cheap Cryptography

Cloaker Can be Recharged – Use Heavier Cryptography

IMD and Cloaker are Paired Long-term

17

Challenges


HotSec 200818

How to handle IMD-Programmer communications?

How the IMD “knows” the Cloaker‟s presence?

What if the emergency staff can‟t locate the Cloaker?

Challenges…Possible Answers


HotSec 200819

How to handle IMD-Programmer communications?

? Hand off symmetric key pair

? Proxy

How the IMD “knows” the Cloaker‟s presence?

? IMD listens and queries oracle

? Keep-alives

What if the emergency staff can‟t locate the Cloaker?

Pulse sensor

Preliminary Simulation


HotSec 2008

14 Java classes

TCP sockets

Inputs alter system

Selective DoS, jamming all wireless

Manageable code size

7/29/200820

ModuleType Code Size

Cloaker 179

IMD 115

Programmer 44

Other 294

Code Function Code Size

I/O 124

Configuration 72

Communication 436

Summary


HotSec 2008

New Approach to IMD Security

Further Investigations:

Passively-powered transceivers (WISPs)

Patient must wear Cloaker

Psychological Impact

What if the patient‟s wrist is trapped in a car?

7/29/200821

Interesting Research Landscape!


HotSec 2008 7/29/200822

Safety (open access)

Security (closed access)

Auditability

IMD Response Time

Battery Life

Storage Constraints

Patient Usability

Psychological EffectsHigh Impact

absence makes the heart grow fonder - school of...

Documents