Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

californiamandrillSoftware and s/w Development

Dec 13, 2013 (3 years and 10 months ago)

76 views

Pacemakers and Implantable Cardiac
Defibrillators: Software Radio Attacks and
Zero
-
Power Defenses

Authors:
Daniel
Halperin
, Thomas S.
Heydt
-
Benjamin,
Benjamin
Ransford
, Shane S. Clark,
Benessa

Defend, Will
Morgan, Kevin
Fu,
Tadayoshi

Kohno, William H.
Maisel

Presenter:

Raghu
Rangan


Implantable Medical
Device


Can control heart
rate, deliver
medication, etc.


Sophisticated devices
with radios



But are they secure?

What Are IMDs?


Implantable Cardiac
Devices


Radio
-
enabled,
wirelessly
programmable


Pacemaking
, defibrillation
(
steady shocks
vs. single
large shock)


Communicates
with a
device programmer

ICDs


Commercial
ICD
programmer


Passive
RF
listener


Active
RF
attacker

Adversaries


Most research has focused on
preventing unintentional failures


RC5 on WISP


Work using software radios to receive
transmissions from commercial wireless
protocols


Related Work


Device programmers can be used directly


Programmers
can read all ICD
information,
change
all settings


No
technological controls to
ensure
authorized
use

Insider Attack


Black box:
watch
communication between
ICD
and programmer


Done
using
inexpensive
components:


Oscilloscope


Universal
Software
Radio
Peripheral


Software
: GNU Radio, Perl,
Matlab


Cost
: less than $1000

Reverse Engineering


Patient data transmitted
cleartext


Challenge
: modulation,
encoding


Not
so difficult, standard schemes
are used
.


Name
, birth date, ID number,
patient history
,
diagnosis, treating physician ...

Passive Monitoring


In order to eavesdrop, need to establish
timeline for bidirectional
comms

between ICD
and programmer


Do not need to decipher transmissions, can
infer meanings and some content

Transaction Timeline

Eavesdropping Setup


Replay
attacks

attacker needs
little
knowledge


Trigger
information disclosure


Change
patient
name, ICD
clock


Change therapies


Can disable functions


Quitely

change device state


Induce fibrillation


Patient safety at risk

Active Attack: Replay


Presence
of strong magnet makes
ICD
transmit
telemetry data


Can
also be triggered without magnet


Radio
use might run out battery faster


DoS

could be quite
dangerous

replacing the
battery requires surgery

Active Attack: Denial of Service


Prevent attacks from insiders and outsiders



Draw no power from primary battery



Security events should be detectable by
patient

Defense Goals


Use RFID tag (
WISPer
) to
guard
ICD communication


WISPer

harvests
power
from
reader,
can perform
computations


Three applications:


Notification


Authentication


Sensible
key exchange

Zero Power Defense


Zero Power Defense


When
WISPer

is activated, beep
via
piezoelectric
speaker


After
beep, notify ICD it can start
using radio


Patient
aware when ICD is
being programmed


Can be deterrent
for attacker

Notification


Challenge/response protocol using RC5


Only
if authentication is successful will
ICD be
told to activate


No
power is used until
authentication
succeeds
.

Authentication


Use audio as a channel for crypto
key
exchange


Modulate
sound wave using same
scheme as
radio


Audible
to patient, hard to hear at
a distance



Also
uses no power

Key Exchange


Still many open problems: key
management,
failure
modes


Security
problems can have
life
-
threatening
consequences


IMDs
should be treated as what they
are
computers

Conclusion and Future Work

Questions/Comments/Discussion