Special Topics in Security and Privacy of Medical Information Sujata Garera Reminders Assignment due today Project part 1 due on next Tuesday Assignment 2 will be online today evening 2nd Discussion session Use pdf format images in slides Medical device security Implantable medical devices Security risks Exploiting devices Design goals for secure devices Communication cloakers 1
Medical telemetry infrastructure Work by Halperin et al. Security and privacy properties of an implantable cardioverter defibrillator (ICD) Includes pacemaker technology Communicates wirelessly with external programmer device in 175Khz frequency range Implemented several radio-based attacks Designed zero power defenses based on RF power harvesting Human in the loop Results of study 2
Implantable Cardioverter Defibrillator Monitors and responds to heart activity Modes for Pacing: Periodically send small stimulus to heart Defibrillation: Send larger shock to restore normal heart rhythm ICD implantation ICD communications Magnetic switch Magnetic field in proximity to this switch causes it to close ICD wirelessly transmits telemetry data including EKG readings Authors were able to activate transmission of telemetry without the presence of a magnetic field Magnetic field usually comes from magnet in programming head 3
ICD communications Wireless communications Wirelessly communicates with an external programmer using 175 Khz band (short range communications) Newer ICDs can also communicate in 402-405 MHz band Why would longer ranges be beneficial? Security model Adversary with commercial ICD programmer Programmer can be operated by anyone Passive adversary Records RF messages between ICDs and programmers Could use equipment like oscilloscopes, software radios, amplifiers and directional antennas Active adversary with software programmer Generates traffic Create spurious transactions Security model Which type of adversary presents the most risk? 4
Equipment used Equipment used Recording oscilloscope Universal Software Radio Peripheral (USRP) Programmable device that interacts with open source GNU Radio libraries on a host PC Equipment used - USRP Single board containing an FPGA for fast signal processing Records signals as complex samples which are interconvertible with the data format used by the oscilloscope. Can sample upto 8Mhz 8000000 samples/second Reverse engineering Commercial Programmer Reverse Engineer 5
Reverse engineering Capture around 175 KHz Process RF traces using Matlab and GNU RF toolchain Analyze bits captured Need to reverse engineer these bits at physical layer Determine the bits that correspond to the raw signals obtained from oscilloscope and USRP Reverse engineering Reverse engineering the physical layer Encoding convert data bits into radio symbols Modulation process of varying one waveform in relation to other waveform Reverse engineering Reverse engineering from the programmer Observed that programmer was transmitting at a different frequency for each symbol state Deduced encoding to be binary frequency shift keying (2-FSK) 150Khz and 200Khz were the frequencies used to represent the two possible states 6
Reverse engineering Reverse engineering from the ICD Did not have access to wire carrying raw bits Inserted information into the ICD using a programmer Patient name set to string of A s Analyzed RF signal to identify the respective bits Observed the ICD uses differential binary phase shift keying (DPBSK) Symbols are represented by transmission at the same frequency but opposite phase Phase measures displacement from original point Reverse engineering Reverse engineering the physical layer Decoding demodulated symbols What would you look for? Observed that from ICD and programmer have same encoding Non-Return to Zero Inverted with bit stuffing Zero bits are represented with no change in symbol over one symbol period One bits are represented by a change of symbol state Reverse engineering 7
Reverse engineering the Eavesdropping What is the first step when eavesdropping? Eavesdropping Transaction timeline of conversation between ICD programmer and ICD 8
Eavesdropping Intercepting Patient Data Capture and reverse engineering showed Do not protect cryptographically Data transmitted in clear include Name DOB Medical ID number History Name and phone number of treating physician Dates of ICD implantation Serial number of ICD Intercepting Telemetry When does telemetry get broadcast? 9
Intercepting telemetry Telemetry data broadcast in clear Contain representations of patient s EKG Heart rate and private information about patient s cardiac activity in real time Observed with a known plaintext attack What is this? Active attacks Replay attacks Transmit only attacks over 175 KHz band Start with ICD in known state Replay the in a loop One second to 37.7 seconds Observe ICD state after Active attacks Replay attacks Triggering ICD identification Replay 1.5 second auto identification trace recorded from programmer Disclosed several details about ICD such as model and serial number Disclosing patient data After identification programmer asks ICD for rest of information stored on it including patient data GNU Radio used to replay 26 second capture containing autoidentification and interrogation command ICD disclosed same information as with programmer 10
Active attacks Replay attacks Disclosing cardiac data Magnetic field can induce telemetry Replaying the initial part of the interrogatory command can also induce such from the ICD Changing patient name Used GNU radio to replay the trace for changing a patient name Active attacks Replay attacks Setting the ICD s clock Attack succeeded after 10 replays Changing therapies Therapies are ICD responses to cardiac events GNU Radio used to turn of therapies Without therapies ICD does not respond to potentially dangerous cardiac conditions Active attacks Replay attacks Inducing fibrillation ICD has a test mode in which it can induce ventricular fibrillation Introduced a 100 ohm resistor between the ICDs defibrillation ports to measure the voltage during a command shock 1 Joule shock sent using programmer Peak voltage observed is 138.4 V Replayed command with software radio 30 replay attempts succeeded in causing similar voltage spikes 11
Zero power defenses What factors must one consider when incorporating security features in an ICD? Zero power defenses Effective approach should either prevent or deter attacks by malicious outsiders with custom equipment as well as insiders with commercial programmers Security and privacy should draw no power from the battery life Prevent DOS on power Security sensitive events should be effortlessly detectable by the patient Security mechanisms should not introduce failure modes This lecture Based on Pacemakers and Implantable Cardiac Defibrillators: Software Radio attacks and Zero Power Defenses by Halperin et al. available on website. 12