Thursday, September 29, 2011

Another wireless infusion pump announced

Another wireless infusion pump has been announced. Wireless has the potential to revolutionize medicine, but what about the challenging security and privacy risks of wireless? I wonder how well the software system adheres to the classic open design principle for security engineering. What kind of cryptographic protocols are in place for secure updates of drug libraries? If SSL is used, how does the manufacturer revoke certificates when a CA is compromised? Does the device rely on proprietary techniques or sound security engineering? These are important types of questions to ponder when taking a previously non-wireless medical device and then exposing the device to the wild west of wireless. Meanwhile, it's still a vexing problem to protect a Facebook account from wireless compromise let alone a medical device.

According to this public database entry, this pump was cleared through the 510(k) process and deemed substantially equivalent to a predicate device. The database entry does not indicate whether the predicate device was wireless.

Thursday, September 8, 2011

Improving implantable medical device security and privacy with the IMD Shield

We researchers at the MDSC spend a lot of time thinking about vulnerabilities in implantable medical devices (IMDs), but it's über-exciting when we can also work on emerging technology that improves the security and privacy of medical devices. The IMD Shield, presented at ACM SIGCOMM 2011, takes a fresh look at IMD communications and offers somewhat unorthodox solutions to several hard security problems:
  1. How can we protect an IMD without requiring that it be surgically replaced?
  2. How should an IMD's security and privacy mechanisms fail open—that is, protect the device by default but allow emergency responders to bypass them?
  3. How can we prevent eavesdroppers from receiving sensitive patient information from an IMD?
  4. How can we prevent an IMD from obeying commands from unauthorized transmitters?
The secret sauce is friendly jamming, applied judiciously. The IMD Shield takes advantage of the specific properties of medical communications (in the MICS band) to protect IMDs from passive and active adversaries, to fail open when appropriate, and to reduce the risks related to surgical replacement.

Sidebar: Overview of the IMD Shield from a USENIX Security 2011 poster.
On to the paper's details: A shield is a wearable electronic device that acts as a proxy for an IMD's communications. In a future form, the shield might resemble a locket or necklace. It has two antennas inside, designated TX (transmit) and RX+TX (receive and transmit). It listens on a certain set of wireless channels for messages to or from the IMD. When it hears a message destined for the IMD, the shield transmits a random jamming signal that prevents the IMD from receiving the message. Only after authenticating the message's sender does the shield stop jamming. In the other direction, the shield jams every message sent by the IMD to foil eavesdroppers: it transmits a random jamming signal while simultaneously transmitting an antidote signal that cancels the jamming only at the shield's RX+TX antenna. The shield and an authorized IMD programmer (e.g., one in a doctor's clinic, or a bedside monitor) establish an encrypted channel out of band and exchange messages over it.

Sidebar: The IMD Shield's jamming strategy provides information-theoretic security akin to that of a one-time pad. The shield fails open when off or absent. (From a USENIX Security 2011 poster.)
Mapping the shield's operations to the four key problems above: (1) None of the shield's protection mechanisms require IMD replacement. (2) When the shield is powered off or removed by an emergency responder, it does not jam any signals; the system fails open. (3) The shield's jamming of IMD transmissions foils eavesdroppers, who cannot distinguish IMD transmissions from junk. (4) The shield prevents the IMD from obeying—or even hearing—unauthorized commands.

The shield is currently implemented as a prototype on USRP boards controlled by GNU Radio.

["They Can Hear Your Heartbeats: Non-Invasive Security for Implanted Medical Devices"
by Shyamnath Gollakota, Haitham Hassanieh, Ben Ransford, Dina Katabi and Kevin Fu received the Best Paper Award at ACM SIGCOMM 2011.]

Friday, September 2, 2011

Hugh Darrow and Medical Device Security

This morning a friend sent me a screenshot from the new video game Deus Ex: Human Revolution, which he said gave him déjà vu. The game is about a dystopian future in which the use of human augmentation for clinical and military purposes is widespread. I won't comment on the game's sci-fi prognostication, but it looks like they decided to use our work as background material for this fictional universe.

The screenshot, which appears to the left, contains three sentences taken directly from the abstract of our IEEE paper from 2008: Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-power Defenses.

Compare the screenshot with our original abstract to see for yourself.

I think it only fair that the publisher or the developers send the team here at the Medical Device Security Center a few copies for "peer review." I have an Xbox and a PC, in case anyone is wondering....