the (in)security of implantable medical devices
TRANSCRIPT
![Page 1: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/1.jpg)
Eduard Marin
Telefonica Research, Spain
The (in)security of implantable
medical devices
![Page 2: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/2.jpg)
PACEMAKERINSULIN PUMP
NEUROSTIMULATOR
![Page 3: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/3.jpg)
Evolution of pacemaker technology
Source: St Jude Medical
![Page 4: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/4.jpg)
![Page 5: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/5.jpg)
Why attack someone with an IMD?
• Cause physical harm
![Page 6: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/6.jpg)
Why attack someone with an IMD?
• Cause physical harm
• Economic reasons
![Page 7: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/7.jpg)
Why attack someone with an IMD?
• Cause physical harm
• Economic reasons
• Learn patient’s sensitive information
![Page 8: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/8.jpg)
System architecture
IMD
Wireless interface
Analogue interface(Sensors)
Base station
Commandstelemetry data
Telemetry data Internet
IMD
manufacturer
Doctors and/or
patients
Actuate
Physiological signals
External sensors
Physiological signals
Device
programmer
![Page 9: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/9.jpg)
System architecture
IMD
Wireless interface
Analogue interface(Sensors)
Base station
Commandstelemetry data
Telemetry data Internet
IMD
manufacturer
Doctors and/or
patients
Actuate
Physiological signals
External sensors
Physiological signals
Device
programmer
![Page 10: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/10.jpg)
Wireless attacks (simplified)
IMDDevice programmer
Adversaries can capture the exchanged messages to infer sensitive medical and
personal data about the patient
![Page 11: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/11.jpg)
Wireless attacks (simplified)
IMDDevice programmer
Adversaries can send maliciously crafted commands to the patient’s IMD
![Page 12: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/12.jpg)
Wireless attacks (simplified)
IMDDevice programmer
Adversaries can repeatedly send messages to the patient’s IMD to reduce the
battery lifetime
![Page 13: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/13.jpg)
“Academic attacks”
2008: Replay attacks on an ICD (Halperin et al.)
2010: DoS attacks on IMDs (Hei et al.)
2012: Attacks on an insulin pump (Li et al.)
2015: Attacks on an infusion pump system (Billy Rios)
2016: Attacks on an insulin pump system (Marin et al.)
2016: Attacks on pacemakers (Marin et al.)
2018: Attacks on neurostimulators (Marin et al.)
?? : First real attack in the wild
TIM
E
![Page 14: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/14.jpg)
![Page 15: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/15.jpg)
Pacemaker study
PacemakerDevice programmer
Device programmer Pacemaker
1) Activation phase: Short-range communication channel (<10 cm)
2) Programming phase: Long-range communication channel (2-5 m)
![Page 16: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/16.jpg)
Laboratory setup
Device programmers
IMDs
Software Defined Radios
Antennas
Commercial laptop
![Page 17: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/17.jpg)
Wireless communication parameters
• Transmission frequency– MICS band (402 – 405MHz).
– 10 channels, 300 KHz bandwidth/channel
• Modulation scheme – Device programmer – ICD: FSK
– ICD – device programmer: DPSK
• Symbol rate– Hilbert transform (i.e. inst frequency)
![Page 18: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/18.jpg)
Security analysis
• Security-through-obscurity (i.e. proprietary protocols)
• Reverse engineering
– Extract the firmware of these devices and analyse it
– Black-box approach
Device programmer
![Page 19: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/19.jpg)
Black-box reverse engineering
Change therapy to X
Change therapy to Z
101010 101010 101010 101010
101010 101010 101010 101011
![Page 20: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/20.jpg)
Intercepting the signals
SoF
sequencePreamble Message type
Message
numberPayload CRC
EoF
sequence
![Page 21: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/21.jpg)
Responsible disclosure procedure
June 2016: We notified Medtronic following the principle of responsible
disclosure (and omitted important details in the paper)
August 2016: Paper got accepted at ACSAC’16
March 2019: the FDA issued a safety communication
Two CVEs were assigned to our findings:
• CVE-2019-6538: Improper Access Control score: 9.3
• CVE-2019-6540: Cleartext transmission of sensitive information
score: 6.5
![Page 22: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/22.jpg)
Common security misconceptions
Security-by-obscurity is sufficient
Hacker cannot extend communication range
Hacker needs expensive hardware devices and “big antennas”
Hacker needs to be very near the patient to activate the IMD
![Page 23: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/23.jpg)
Threat model
Defines who the adversary is and its capabilities
It is crucial to understand this
Problem: Manufacturers determine their threat model
keeping the previous misconceptions in mind
![Page 24: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/24.jpg)
So… how should we do it?
Use cryptography (Kerckhoffs’s principle)
Balance between security, availability, usability and safety
Lightweight cryptographic algorithms
Novel key management solutions
![Page 25: The (in)security of implantable medical devices](https://reader033.vdocuments.net/reader033/viewer/2022041920/62553730eeab6307f56ad05f/html5/thumbnails/25.jpg)
Conclusions
Security = strong cryptographic algorithms (based on hard mathematical problems)
Insecurity = Security-by-obscurity, signal strength, distance, activation….
No real attack so far, but security is needed now