Absence makes the heart grow fonder: new directions for implantable medical device security

HotSec, 2008.

Cited by: 166|Bibtex|Views15
EI
Other Links: dblp.uni-trier.de|dl.acm.org|academic.microsoft.com
Weibo:
While Cloakers will not be applicable to all types of implantable medical device, for many implantable medical device we argue that Cloakers will strike a new balance between safety in the common case and security under adversarial conditions

Abstract:

Security proponents heavily emphasize the importance of choosing a strong password (one with high entropy). Unfortunately, by design, most humans are apparently incapable of generating such passwords, or memorizing a random-looking, machine-generated ...

Code:

Data:

Introduction
  • There is an on-going revolution in wireless implantable medical device (IMD) technologies
  • Such devices — which are wholly or partially implanted within patients’ bodies — are enabling new medical therapies with the potential of greatly improving patients’ lives, but are incorporating more sophisticated wireless transceivers and becoming more computationally complex.
  • Consider the simple fact that commercial implantable medical device programming hardware (a.k.a. a commercial programmer1) could be used both by legitimate medical practitioners and by adversaries:
Highlights
  • There is an on-going revolution in wireless implantable medical device (IMD) technologies
  • We believe that the fail-open Cloaker approaches will allow us to achieve new — and we argue, in some cases better — balances between safety and security for many classes of implantable medical device
  • We explore the Cloaker design space, the relationship to previous security approaches to implantable medical device, and some remaining challenges
  • The argument is that these alerts could allow patients to detect the onset of potentially malicious actions, and that these alerts could serve as a deterrent to adversaries. While we view this approach as raising the bar over the security of existing implantable medical device such as the defibrillator we studied in [9], we believe that this approach does not provide an ideal level of security
  • We propose a new class of defensive techniques — Communication Cloakers — for improving the security and privacy of wireless implantable medical devices
  • While Cloakers will not be applicable to all types of implantable medical device, for many implantable medical device we argue that Cloakers will strike a new balance between safety in the common case and security under adversarial conditions
Methods
  • There are several design tensions that arise from the form factor of IMDs and their role in medical treatment.
  • Safety and Open Access in Emergencies.
  • An IMD security system needs to allow open access in emergency situations.
  • Emergency caregivers need to have an unhindered ability to change the settings on or disable many classes of IMDs.
  • Security and Privacy Under Adversarial Conditions.
  • Wireless communication capabilities open up vulnerabilities to attacks from greater distances.
  • A security system for an IMD should strive to meet the traditional security goals of confidentiality, integrity, and availability
Conclusion
  • The authors propose a new class of defensive techniques — Communication Cloakers — for improving the security and privacy of wireless implantable medical devices.
  • While Cloakers will not be applicable to all types of IMDs, for many IMDs the authors argue that Cloakers will strike a new balance between safety in the common case and security under adversarial conditions.
  • The security of the Cloaker system relies upon the patient’s wearing the Cloaker device in any environment where unauthorized communications might take place.
Summary
  • Introduction:

    There is an on-going revolution in wireless implantable medical device (IMD) technologies
  • Such devices — which are wholly or partially implanted within patients’ bodies — are enabling new medical therapies with the potential of greatly improving patients’ lives, but are incorporating more sophisticated wireless transceivers and becoming more computationally complex.
  • Consider the simple fact that commercial implantable medical device programming hardware (a.k.a. a commercial programmer1) could be used both by legitimate medical practitioners and by adversaries:
  • Methods:

    There are several design tensions that arise from the form factor of IMDs and their role in medical treatment.
  • Safety and Open Access in Emergencies.
  • An IMD security system needs to allow open access in emergency situations.
  • Emergency caregivers need to have an unhindered ability to change the settings on or disable many classes of IMDs.
  • Security and Privacy Under Adversarial Conditions.
  • Wireless communication capabilities open up vulnerabilities to attacks from greater distances.
  • A security system for an IMD should strive to meet the traditional security goals of confidentiality, integrity, and availability
  • Conclusion:

    The authors propose a new class of defensive techniques — Communication Cloakers — for improving the security and privacy of wireless implantable medical devices.
  • While Cloakers will not be applicable to all types of IMDs, for many IMDs the authors argue that Cloakers will strike a new balance between safety in the common case and security under adversarial conditions.
  • The security of the Cloaker system relies upon the patient’s wearing the Cloaker device in any environment where unauthorized communications might take place.
Tables
  • Table1: The total code size divided by module type, calculated as the number of semicolons
  • Table2: The total code size divided by code function, calculated as the number of semicolons
Download tables as Excel
Related work
  • There is a growing body of literature on security and privacy in pervasive healthcare. Venkatasubramanian and Gupta [18] provide a survey of current directions within

    Code Function I/O Configuration Communication/Functionality the field, and our own work [8] focuses in particular on implantable medical devices. One previous approach for securing the communications between implantables is to leverage keys derived directly from measurements of the patient’s physiology, such as the patient’s inter-pulse timing [3].

    Our other work highlighted the security issues for IMDs in the context of a real implantable defibrillator, and also proposed new security mechanisms that chipped away at the tension between security and safety [9]. From a defensive direction, we believe that the new Cloaker approaches advocated in this paper will strike a much better balance between security and safety compared to our previous proposals.

    The Cloaker approaches have a common ancestor with the RFID Guardian [16], RFID Proxy [12], and the Blocker Tag [11], and indeed all these systems offer similar fail-open behavior; however, whereas the fail-open behavior of these RFID defenses are arguably unintentional side effects of their need for backwardcompatibility with existing RFIDs, the fail-open behavior of our Cloakers is explicit and intentional. Having the fail-open characteristic as a design goal, plus the additional unique features available with IMDs, gives us much greater freedom to propose and explore new design trade-offs in the context of IMDs. We can avoid the need to remain backward-compatible with existing IMDs. We can also, for example: directly involve the IMDs in the design of the system; leverage the fact that IMDs are active devices with batteries and greater computational power than RFIDs; and leverage the fact that a Cloaker could have a pulse sensor.
Reference
  • H.-J. Chae, D. J. Yeager, J. R. Smith, and K. Fu. Maximalist cryptography and computation on the wisp uhf rfid tag. In Conference on RFID Security, July 2007.
    Google ScholarLocate open access versionFindings
  • S. Chekmenev, A. Farag, and E. Essock. Thermal imaging of the superficial temporal artery: An arterial pulse recovery model. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR ’07), pages 1–6, June 2007.
    Google ScholarLocate open access versionFindings
  • S. Cherukuri, K. Venkatasubramanian, and S. Gupta. BioSec: A biometric based approach for securing communication in wireless networks of biosensors implanted in the human body. In ICPP Workshops, 2003.
    Google ScholarLocate open access versionFindings
  • B. Ertl. Hooligans attack epilepsy patients during epilepsy awareness month. http://www.pr.com/press-release/60959, 2007.
    Findings
  • A. Ferreira, R. Cruz-Correia, L. Antunes, P. Farinha, E. Oliveira-Palhares, D. W. Chadwick, and A. CostaPereira. How to break access control in a controlled manner. In CBMS ’06: Proceedings of the 19th IEEE Symposium on Computer-Based Medical Systems, pages 847– 854, Washington, DC, USA, 2006. IEEE Computer Society.
    Google ScholarLocate open access versionFindings
  • P. Gould and A. Krahn. Complications associated with implantable cardioverter-defibrillator replacement in response to device advisories. JAMA, 295(16):1907–1911, April 2006.
    Google ScholarLocate open access versionFindings
  • B. Greenstein, D. McCoy, J. Pang, T. Kohno, S. Seshan, and D. Wetherall. Improving wireless privacy with an identifier-free link layer protocol. In MobiSys, June 2008.
    Google ScholarLocate open access versionFindings
  • D. Halperin, T. S. Heydt-Benjamin, K. Fu, T. Kohno, and W. H. Maisel. Security and privacy for implantable medical devices. IEEE Pervasive Computing, 7:30–39, January-March 2008.
    Google ScholarLocate open access versionFindings
  • D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. H. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In IEEE Symposium on Security and Privacy, May 2008.
    Google ScholarLocate open access versionFindings
  • G. Harris. Heparin contamination may have been deliberate, F.D.A. says. http://www.nytimes.com/2008/04/30/health/policy/30heparin.html, 2008.
    Findings
  • A. Juels, R. L. Rivest, and M. Szydlo. The blocker tag: selective blocking of RFID tags for consumer privacy. In CCS, 2003.
    Google ScholarFindings
  • A. Juels, P. Syverson, and D. Bailey. High-power proxies for enhancing RFID privacy and utility. In PET, 2005.
    Google ScholarLocate open access versionFindings
  • I. Kirschenbaum and A. Wool. How to build a lowcost, extended-range RFID skimmer. In USENIX Security, 2006.
    Google ScholarLocate open access versionFindings
  • W. H. Maisel, W. G. Stevenson, and L. M. Epstein. Changing trends in pacemaker and implantable cardioverter defibrillator generator advisories. Journal of Pacing and Clinical Electrophysiology, 25(12):1670– 1678, December 2002.
    Google ScholarLocate open access versionFindings
  • K. Poulsen. Hackers assault epilepsy patients via computer. http://www.wired.com/politics/security/news/2008/03/epilepsy, 2008.
    Findings
  • M. Rieback, B. Crispo, and A. Tanenbaum. RFID Guardian: A battery-powered mobile device for RFID privacy management. In ACISP, pages 184–194, 2005.
    Google ScholarLocate open access versionFindings
  • F. Stajano and R. J. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In Proceedings of Security Protocols, 7th International Workshop, LNCS 1796, pages 172–194, 1999.
    Google ScholarLocate open access versionFindings
  • K. Venkatasubramanian and S. Gupta. Chapter 15: Security for pervasive healthcare. In Y. Xiao, editor, Security in Distributed, Grid, Mobile, and Pervasive Computing. 2007.
    Google ScholarFindings
  • T. Zimmerman. Personal area networks: Near-field intrabody communication. IBM Systems Journal, 35(3 & 4):609–617, 1996.
    Google ScholarLocate open access versionFindings
Full Text
Your rating :
0

 

Tags
Comments