absence makes the heart grow fonder - school of...
TRANSCRIPT
New Directions for Implantable Medical Device Security
Absence Makes the Heart Grow Fonder:
Tamara Denning1, Tadayoshi Kohno1, Kevin Fu2
1University of Washington 2University of Massachusetts at Amherst
http://www.secure-medicine.org
Balancing Safety and Security
Implantable Medical Devices (IMDs)
Tamara Denning, University of Washington,
HotSec 2008
Pacemakers, Implantable Cardioverter Defibrillators (ICDs),
Drug Pumps, Neurostimulators
Life-Supporting/Quality of Life
Devices Have Wireless Capabilities
7/29/20082
Wireless ICD Attacks
Tamara Denning, University of Washington,
HotSec 2008
Obtain serial number, patient name, diagnosis
Turn off therapies
Induce cardiac fibrillation
7/29/20083
Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power
defenses [Halperin], Oakland „08
Why Security? Malicious Attacks
Tamara Denning, University of Washington,
HotSec 2008 7/29/20084
Malicious Computer-Based Attacks
Tamara Denning, University of Washington,
HotSec 2008 7/29/20085
Current Security
IMD does not keep list of authorized programmers
How about keeping a list and only allowing authorized
programmers?
7/29/2008Tamara Denning, University of Washington,
HotSec 20086
CLOSED ACCESS OPEN ACCESS
Goals of IMD Security
7/29/2008Tamara Denning, University of Washington,
HotSec 20087
Y
YN
Tensions of IMD Security
Tamara Denning, University of Washington,
HotSec 2008
Safety in the Common Case
Timely access anywhere, anytime
Security in the Adversarial Case
Protect from unauthorized access
7/29/20088
CLOSED ACCESS OPEN ACCESS
CLOSED ACCESS OPEN ACCESS
Insufficient Approaches
Tamara Denning, University of Washington,
HotSec 2008
Case-by-Case Access Credentials
User Alert
Require Close Proximity
7/29/20089
CLOSED ACCESS OPEN ACCESS
Insufficient Approaches
Tamara Denning, University of Washington,
HotSec 2008
Case-by-Case Access Credentials
User Alert
Require Close Proximity
7/29/200810
CLOSED ACCESS OPEN ACCESS
Insufficient Approaches
Tamara Denning, University of Washington,
HotSec 2008
Case-by-Case Access Credentials
User Alert
Require Close Proximity
7/29/200811
What about encryption with a
carried passkey?
7/29/2008Tamara Denning, University of Washington,
HotSec 200812
Y
YN
What about encryption with a
carried passkey?
7/29/2008Tamara Denning, University of Washington,
HotSec 200813
Y
YN
N
New Approach
7/29/2008Tamara Denning, University of Washington,
HotSec 200814
What if we REMOVE something to gain
access?
Communication Cloaker
How it works
7/29/2008Tamara Denning, University of Washington,
HotSec 200815
NY
Y
CLOSED ACCESS OPEN ACCESS
Communication Cloaker
Tamara Denning, University of Washington,
HotSec 2008
Present
Allows Pre-Approved Programmers (common case)
Blocks Unauthorized Programmers (adversarial case)
Absent
Fails open…Allows All Programmers!
7/29/200816
Assumptions
7/29/2008Tamara Denning, University of Washington,
HotSec 2008
IMD Power is Limited – Use Cheap Cryptography
Cloaker Can be Recharged – Use Heavier Cryptography
IMD and Cloaker are Paired Long-term
17
Challenges
7/29/2008Tamara Denning, University of Washington,
HotSec 200818
How to handle IMD-Programmer communications?
How the IMD “knows” the Cloaker‟s presence?
What if the emergency staff can‟t locate the Cloaker?
Challenges…Possible Answers
7/29/2008Tamara Denning, University of Washington,
HotSec 200819
How to handle IMD-Programmer communications?
? Hand off symmetric key pair
? Proxy
How the IMD “knows” the Cloaker‟s presence?
? IMD listens and queries oracle
? Keep-alives
What if the emergency staff can‟t locate the Cloaker?
Pulse sensor
Preliminary Simulation
Tamara Denning, University of Washington,
HotSec 2008
14 Java classes
TCP sockets
Inputs alter system
Selective DoS, jamming all wireless
Manageable code size
7/29/200820
ModuleType Code Size
Cloaker 179
IMD 115
Programmer 44
Other 294
Code Function Code Size
I/O 124
Configuration 72
Communication 436
Summary
Tamara Denning, University of Washington,
HotSec 2008
New Approach to IMD Security
Further Investigations:
Passively-powered transceivers (WISPs)
Patient must wear Cloaker
Psychological Impact
What if the patient‟s wrist is trapped in a car?
7/29/200821
Interesting Research Landscape!
Tamara Denning, University of Washington,
HotSec 2008 7/29/200822
Safety (open access)
Security (closed access)
Auditability
IMD Response Time
Battery Life
Storage Constraints
Patient Usability
Psychological EffectsHigh Impact