Upload
albert-cox
View
223
Download
1
Tags:
Embed Size (px)
Citation preview
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and
Zero-Power DefensesAuthors: Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, William H. Maisel
Presenter: Raghu Rangan
• Implantable Medical Device
• Can control heart rate, deliver medication, etc.
• Sophisticated devices with radios
• But are they secure?
What Are IMDs?
• Implantable Cardiac Devices
• Radio-enabled, wirelessly programmable
• Pacemaking, defibrillation (steady shocks vs. single large shock)
• Communicates with a device programmer
ICDs
• Commercial ICD programmer
• Passive RF listener
• Active RF attacker
Adversaries
• Most research has focused on preventing unintentional failures
• RC5 on WISP• Work using software radios to
receive transmissions from commercial wireless protocols
Related Work
• Device programmers can be used directly
• Programmers can read all ICD information, change all settings
• No technological controls to ensure authorized use
Insider Attack
• Black box: watch communication between ICD and programmer
• Done using inexpensive components: Oscilloscope Universal Software Radio
Peripheral Software: GNU Radio,
Perl, Matlab
• Cost: less than $1000
Reverse Engineering
• Patient data transmitted cleartext
• Challenge: modulation, encoding Not so difficult, standard schemes are used.
• Name, birth date, ID number, patient history, diagnosis, treating physician ...
Passive Monitoring
• In order to eavesdrop, need to establish timeline for bidirectional comms between ICD and programmer
• Do not need to decipher transmissions, can infer meanings and some content
Transaction Timeline
Eavesdropping Setup
• Replay attacks–attacker needs little knowledge
• Trigger information disclosure
• Change patient name, ICD clock
• Change therapies Can disable functions Quitely change device state
• Induce fibrillation Patient safety at risk
Active Attack: Replay
• Presence of strong magnet makes ICD transmit telemetry data
• Can also be triggered without magnet
• Radio use might run out battery faster
• DoS could be quite dangerous–replacing the battery requires surgery
Active Attack: Denial of Service
• Prevent attacks from insiders and outsiders
• Draw no power from primary battery
• Security events should be detectable by patient
Defense Goals
• Use RFID tag (WISPer) to guard ICD communication
• WISPer harvests power from reader, can perform computations
• Three applications: Notification Authentication Sensible key exchange
Zero Power Defense
Zero Power Defense
• When WISPer is activated, beep via piezoelectric speaker
• After beep, notify ICD it can start using radio
• Patient aware when ICD is being programmed
• Can be deterrent for attacker
Notification
• Challenge/response protocol using RC5
• Only if authentication is successful will ICD be told to activate
• No power is used until authentication succeeds.
Authentication
• Use audio as a channel for crypto key exchange
• Modulate sound wave using same scheme as radio
• Audible to patient, hard to hear at a distance
• Also uses no power
Key Exchange
• Still many open problems: key management, failure modes
• Security problems can have life-threatening consequences
• IMDs should be treated as what they are computers
Conclusion and Future Work
Questions/Comments/Discussion