Special Topics in Security and Privacy of Medical Information. Reminders. Medical device security. Sujata Garera

Similar documents
Special Topics in Security and Privacy of Medical Information. Reminders. Last lecture: Recap. Sujata Garera. Project part 1 submission

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Security and Privacy of Wireless Implantable Medical Devices

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study

2.0 System Description

Department of Electrical and Computer Engineering Ben-Gurion University of the Negev. LAB 1 - Introduction to USRP

Kevin Fu Associate Professor Security & Privacy Research Lab UMass Amherst Computer Science

Location-Aware and Safer Cards: Enhancing RFID Security and Privacy

Software Defined Radio

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

What Are Arrhythmias?

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

Study Guide for the Electronics Technician Pre-Employment Examination

Digital Investigation of Security Attacks on Cardiac Implantable Medical Devices

How To Hack An Rdi Credit Card

DRM compatible RF Tuner Unit DRT1

REMOTE KEYLESS ENTRY SYSTEM RECEIVER DESIGN

GnuRadio CONTACT INFORMATION: phone: fax: web:

Single channel data transceiver module WIZ2-434

SDR Architecture. Introduction. Figure 1.1 SDR Forum High Level Functional Model. Contributed by Lee Pucker, Spectrum Signal Processing

How To Understand The Power Of An Freddi Tag (Rfid) System

Design of Bidirectional Coupling Circuit for Broadband Power-Line Communications

MODULATION Systems (part 1)

Tire pressure monitoring

Introduction. Planned surgical procedures

Lecture 3: Signaling and Clock Recovery. CSE 123: Computer Networks Stefan Savage

Using RFID Techniques for a Universal Identification Device

How To Sell A Talan

Note monitors controlled by analog signals CRT monitors are controlled by analog voltage. i. e. the level of analog signal delivered through the

DAC Digital To Analog Converter

Radio Frequency Identification (RFID)

APPLICATION NOTE GaGe CompuScope based Lightning Monitoring System

Constructing a precision SWR meter and antenna analyzer. Mike Brink HNF, Design Technologist.

AM Radio Field Strength Measurements with Confidence November 2004

INTRODUCTION TO COMMUNICATION SYSTEMS AND TRANSMISSION MEDIA

Fiber Optic Communications Educational Toolkit

PCM Encoding and Decoding:

DKWF121 WF121-A B/G/N MODULE EVALUATION BOARD

DT3: RF On/Off Remote Control Technology. Rodney Singleton Joe Larsen Luis Garcia Rafael Ocampo Mike Moulton Eric Hatch

Wireless Home Security System

Wireless Transmission of JPEG file using GNU Radio and USRP

RS - SPM. Serial parallel translator module

RF Measurements Using a Modular Digitizer

RX-AM4SF Receiver. Pin-out. Connections

Objectives. Lecture 4. How do computers communicate? How do computers communicate? Local asynchronous communication. How do computers communicate?

RFID Penetration Tests when the truth is stranger than fiction

AN Application Note: FCC Regulations for ISM Band Devices: MHz. FCC Regulations for ISM Band Devices: MHz

Wireless Encryption Protection

VMR6512 Hi-Fi Audio FM Transmitter Module

Application Note Receiving HF Signals with a USRP Device Ettus Research

Energy Efficient Security in Implantable Medical Devices

Unmatched RF Spectrum Analysis

TIMING SIGNALS, IRIG-B AND PULSES

Proximity-based Access Control for Implantable Medical Devices

Basics of Pacing. Ruth Hickling, RN-BSN Tasha Conley, RN-BSN

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Satellite Telemetry, Tracking and Control Subsystems

Modification Details.

Six-defense zone Display Alarm System. User Manual

AND9035/D. BELASIGNA 250 and 300 for Low-Bandwidth Applications APPLICATION NOTE

GNU Radio. An introduction. Jesper M. Kristensen Department of Electronic Systems Programmerbare digitale enheder Tuesday 6/3 2007

CLINICIAN MANUAL. LATITUDE Patient Management System

RDF1. RF Receiver Decoder. Features. Applications. Description. Ordering Information. Part Number Description Packages available

Elettronica dei Sistemi Digitali Costantino Giaconia SERIAL I/O COMMON PROTOCOLS

Intelligent Fleet Management System Using Active RFID

Design and Certification of ASH Radio Systems for Japan

Higher National Unit Specification. General information for centres. Transmission of Measurement Signals. Unit code: DX4T 35

AFG-100/200 series USB Modular Arbitrary Function Generator. Date: Oct, 2014

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 5 Diploma in IT. October 2009 EXAMINERS' REPORT. Computer Networks

The Answer to the 14 Most Frequently Asked Modbus Questions

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

Wireless Medical Telemetry Laboratory

Using ISO Compliant RFID Tags in an Inventory Control System

TECHNICAL TBR 12 BASIS for December 1993 REGULATION

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Electronic Access Control Security. Matteo Beccaro HackInTheBox Amsterdam, May 27 th, 2016

Revision of Lecture Eighteen

Security in Ad Hoc Network

How To Get A Phone In The United States

New CPT Codes for Cardiac Device Monitoring SIDE-BY-SIDE COMPARISON

Appendix C GSM System and Modulation Description

Product Datasheet P MHz RF Powerharvester Receiver

Cardiac Conduction System (1) ECG (Electrocardiogram) Cardiac Conduction System (2) The ECG (1) The ECG (1) The ECG (1) Achmad Rizal BioSPIN

INFORMATION TECHNOLOGY MANAGEMENT COMMITTEE LIVINGSTON, NJ ITMC TECH TIP ROB COONCE, MARCH 2008

Spectrum Analyzer Two models available: OGR-24 (24 GHz) and OGR-8 (8 GHz)

Remote control circuitry via mobile phones and SMS

TECHNICAL TBR 14 BASIS for April 1994 REGULATION

RADIUS. Brief brochure. Product Purpose

Computer Networks and Internets, 5e Chapter 6 Information Sources and Signals. Introduction

Android based Alcohol detection system using Bluetooth technology

Spectrum Analyzer Two models available: OGR-24 (24 GHz) and OGR-8 (8 GHz)

RECOMMENDATION ITU-R F (Question ITU-R 157/9) b) that systems using this mode of propagation are already in service for burst data transmission,

Electronic Communications Committee (ECC) within the European Conference of Postal and Telecommunications Administrations (CEPT)

RFID BASED VEHICLE TRACKING SYSTEM

Flexible Active Shutter Control Interface using the MC1323x

Hello viewers, welcome to today s lecture on cellular telephone systems.

Transcription:

Special Topics in Security and Privacy of Medical Information Sujata Garera Reminders Assignment due today Project part 1 due on next Tuesday Assignment 2 will be online today evening 2nd Discussion session Use pdf format images in slides Medical device security Implantable medical devices Security risks Exploiting devices Design goals for secure devices Communication cloakers 1

Medical telemetry infrastructure Work by Halperin et al. Security and privacy properties of an implantable cardioverter defibrillator (ICD) Includes pacemaker technology Communicates wirelessly with external programmer device in 175Khz frequency range Implemented several radio-based attacks Designed zero power defenses based on RF power harvesting Human in the loop Results of study 2

Implantable Cardioverter Defibrillator Monitors and responds to heart activity Modes for Pacing: Periodically send small stimulus to heart Defibrillation: Send larger shock to restore normal heart rhythm ICD implantation ICD communications Magnetic switch Magnetic field in proximity to this switch causes it to close ICD wirelessly transmits telemetry data including EKG readings Authors were able to activate transmission of telemetry without the presence of a magnetic field Magnetic field usually comes from magnet in programming head 3

ICD communications Wireless communications Wirelessly communicates with an external programmer using 175 Khz band (short range communications) Newer ICDs can also communicate in 402-405 MHz band Why would longer ranges be beneficial? Security model Adversary with commercial ICD programmer Programmer can be operated by anyone Passive adversary Records RF messages between ICDs and programmers Could use equipment like oscilloscopes, software radios, amplifiers and directional antennas Active adversary with software programmer Generates traffic Create spurious transactions Security model Which type of adversary presents the most risk? 4

Equipment used Equipment used Recording oscilloscope Universal Software Radio Peripheral (USRP) Programmable device that interacts with open source GNU Radio libraries on a host PC Equipment used - USRP Single board containing an FPGA for fast signal processing Records signals as complex samples which are interconvertible with the data format used by the oscilloscope. Can sample upto 8Mhz 8000000 samples/second Reverse engineering Commercial Programmer Reverse Engineer 5

Reverse engineering Capture around 175 KHz Process RF traces using Matlab and GNU RF toolchain Analyze bits captured Need to reverse engineer these bits at physical layer Determine the bits that correspond to the raw signals obtained from oscilloscope and USRP Reverse engineering Reverse engineering the physical layer Encoding convert data bits into radio symbols Modulation process of varying one waveform in relation to other waveform Reverse engineering Reverse engineering from the programmer Observed that programmer was transmitting at a different frequency for each symbol state Deduced encoding to be binary frequency shift keying (2-FSK) 150Khz and 200Khz were the frequencies used to represent the two possible states 6

Reverse engineering Reverse engineering from the ICD Did not have access to wire carrying raw bits Inserted information into the ICD using a programmer Patient name set to string of A s Analyzed RF signal to identify the respective bits Observed the ICD uses differential binary phase shift keying (DPBSK) Symbols are represented by transmission at the same frequency but opposite phase Phase measures displacement from original point Reverse engineering Reverse engineering the physical layer Decoding demodulated symbols What would you look for? Observed that from ICD and programmer have same encoding Non-Return to Zero Inverted with bit stuffing Zero bits are represented with no change in symbol over one symbol period One bits are represented by a change of symbol state Reverse engineering 7

Reverse engineering the Eavesdropping What is the first step when eavesdropping? Eavesdropping Transaction timeline of conversation between ICD programmer and ICD 8

Eavesdropping Intercepting Patient Data Capture and reverse engineering showed Do not protect cryptographically Data transmitted in clear include Name DOB Medical ID number History Name and phone number of treating physician Dates of ICD implantation Serial number of ICD Intercepting Telemetry When does telemetry get broadcast? 9

Intercepting telemetry Telemetry data broadcast in clear Contain representations of patient s EKG Heart rate and private information about patient s cardiac activity in real time Observed with a known plaintext attack What is this? Active attacks Replay attacks Transmit only attacks over 175 KHz band Start with ICD in known state Replay the in a loop One second to 37.7 seconds Observe ICD state after Active attacks Replay attacks Triggering ICD identification Replay 1.5 second auto identification trace recorded from programmer Disclosed several details about ICD such as model and serial number Disclosing patient data After identification programmer asks ICD for rest of information stored on it including patient data GNU Radio used to replay 26 second capture containing autoidentification and interrogation command ICD disclosed same information as with programmer 10

Active attacks Replay attacks Disclosing cardiac data Magnetic field can induce telemetry Replaying the initial part of the interrogatory command can also induce such from the ICD Changing patient name Used GNU radio to replay the trace for changing a patient name Active attacks Replay attacks Setting the ICD s clock Attack succeeded after 10 replays Changing therapies Therapies are ICD responses to cardiac events GNU Radio used to turn of therapies Without therapies ICD does not respond to potentially dangerous cardiac conditions Active attacks Replay attacks Inducing fibrillation ICD has a test mode in which it can induce ventricular fibrillation Introduced a 100 ohm resistor between the ICDs defibrillation ports to measure the voltage during a command shock 1 Joule shock sent using programmer Peak voltage observed is 138.4 V Replayed command with software radio 30 replay attempts succeeded in causing similar voltage spikes 11

Zero power defenses What factors must one consider when incorporating security features in an ICD? Zero power defenses Effective approach should either prevent or deter attacks by malicious outsiders with custom equipment as well as insiders with commercial programmers Security and privacy should draw no power from the battery life Prevent DOS on power Security sensitive events should be effortlessly detectable by the patient Security mechanisms should not introduce failure modes This lecture Based on Pacemakers and Implantable Cardiac Defibrillators: Software Radio attacks and Zero Power Defenses by Halperin et al. available on website. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information