presentation

Report
Heart-to-Heart (H2H):
Authentication for Implanted Medical Devices
M. ROSTAMI
A. JUELS
F. KOUSHANFAR
RICE UNIV.
(VARIOUS CAFES)
RICE UN IV.
© 2013 M. Rostami, A. Juels, and F. Koushanfar
1
What’s an IMD?
•Implanted Medical Devices (IMDs) are surgically implanted
systems that monitor physiological conditions and (usually)
apply therapies.
•Pacemakers
•Cardiac defibrillators
•Neurostimulators
•Drug-delivery devices
•25 million people in U.S. alone fitted with IMDs
2
What’s an IMD?
•Medical devices branching into
many areas; someday, most people
may have one
•Example: Transcranial Direct
Current Stimulation (tDCS)
•Improves cognitive performance
•(May also prevent migraines)
3
Why do we need to secure IMDs?
•IMDs are embedded systems
•Microprocessors
•Batteries
•Wireless interfaces
•Why wireless? In order to
•Update firmware, programming
•Provide telemetry
•Communicate with other IMDs
(eventually)
4
Two big dangers to IMD users
1. IMD access is too easy
• Landmark attack by Halperin et al. in 2008 (UMass,
UW, BI)
• The case of former U.S. VP Dick Cheney
• He has a heart
• He has a pacemaker (IMD)
• He was assassinated when his pacemaker was
hacked over the air… thankfully only on TV
• In real life, revealed two weeks ago to have
disabled pacemaker wireless in 2007 over
concerns about hacking
5
Two big dangers to IMD users
1. IMD access is too easy
• Landmark attack by Halperin et al. in 2008 (UMass,
UW, BI)
• The case of former U.S. VP Dick Cheney
• He has a heart
• He has a pacemaker (IMD)
• He was assassinated when his pacemaker was
hacked…
• In real life, revealed two weeks ago to have
disabled pacemaker wireless in 2007 over
concerns about hacking
6
Two big dangers to IMD users
1. IMD access is too easy
2. IMD access is too hard
• E.g., Patient collapses on sidewalk
• EMTs arrive and try to read diagnostics / reprogram IMD
• They can’t get access…
•
(They can’t remember their first pets’ names)
How do we address these conflicting challenges
for emergency access to IMD?
7
Some previous work
•
Conventional password / device key?
• 2010 U.S. Dept. of HHS report: medical errors may be third leading cause of death
• Password or key-based access to IMDs would be a key-distribution nightmare
•
•
Physical processes, e.g., magnets [HKH-BF+08]
Ultraviolet Micropigmentation Tattoos [S10]
•
•
•
Distance-bounding [RCH-BC09]
•
•
•
Nice approach
Power considerations, hardware modification, various attacks
Wearing a shield or jammer around the neck [GHRK+11]
•
•
Clever and probably workable
May not meet patient acceptance, may be hard to find, lacerations?
Can violate FCC rules, inconvenient
Transmitting key via Piezo device [HH-BRC+08]
• Our approach in H2H: Measurement of Physiological Values (PVs) (EKG)
8
Heart-to-Heart (H2H): setting and approach
• Two devices:
• IMD
• Programmer
• Access-control policy: Touch-to-access
• Protocol in H2H
1. Programmer sensor touches
patient’s body
2. IMD reads PV A
3. Programmer reads PV B
4. Devices check that A ≈ B
B
?
=
A
Programmer
9
Authentication using physiological values
• Earliest mention of approach: Patent filed by RSA in 2008
• Not implemented; few details
• Two published schemes (EKG):
• F. Xu, et. al., "Securing implantable medical devices with the external wearable
guardian," INFOCOM 2011.
• C. Hu, et. al., "OPFKA: Secure and efficient ordered-physiological-feature-based key
agreement for wireless body area networks," INFOCOM 2013
• Slightly different settings than IMD emergency access
• Both schemes shown vulnerable to cryptanalytic attack:
• M. Rostami, W. Burleson, A. Juels, and F. Koushanfar, “Balancing security and utility in
medical devices?” DAC, 2013.
10
Heart-to-Heart (H2H): What do EKG data look like?
•EKG measures electrical activity in body, reflecting activity of heart
•R peak is the most prominent EKG feature
•We examine R-R interval (heart-beat duration)
11
Heart-to-Heart (H2H): What do EKG data look like?
•R-R interval is also called the inter-pulse interval (IPI)
•Underlying processes have well-studied chaotic nature
•IPI is a good source of entropy (used in previous work)
12
How much entropy?
• We analyze some standard EKG databases (MIT-BIH, PTB, and MGH/MF)
• IPIs are normalized, quantized, and Gray-coded, yielding 8-bit value
• We take error between left hand & right hand as surrogate for that between
IMD and Programmer, i.e., between A and B…
13
Heart-to-Heart (H2H): entropy source
• Effectively have common, secret source of entropy for IMD and Programmer
• It outputs a 4-bit random value x1x2x3x4 with every heartbeat
• IMD and (honest) Programmer tap this source over (slightly) noisy channel
• IMD reads A, Programmer reads B
x1x2x3x4
Programmer
14
Heart-to-Heart (H2H): entropy source
•Of course, four bits aren’t a lot
•We can measure multiple IPIs to harvest more entropy
• Default in H2H: (n=15, 11-15 secs.)
x1x2x3x4
Programmer
15
Challenge 1: How to compare A and B?
•IMD should only give access to Programmer if A ≈ B
•But how close should A and B be?
•Previous schemes just look at Hamming distance between A and B
•But the error rates are non-uniform across bits
•E.g., x1 has 8% error rate, while x4 has error rate of 0.9%!
•This naïve approach throws away entropy!
•Our approach: Use Neyman-Pearson Lemma
16
Challenge 1: How to compare A and B?
Neyman-Pearson Lemma:
•For PV u:
•Let P(u) be probability adversary (no skin contact) makes guess u for
true PV
•Let Q(u) be probability valid Programmer/IMD yields u for true PV
•There exists an threshold T such that an optimal classifier accepts a
reading u as valid if
log (P(u) / Q(u)) > T
17
Challenge 1: How to compare A and B?
Neyman-Pearson criterion:
log (P(u) / Q(u)) > T
•
•
•
Conveniently, bits x1x2x3x4 are unbiased and independent
Paper contains a number of tricks for implementing NeymanPearson Lemma efficiently in IMD
We benefit from full entropy of source in comparing A ≈ B
18
Challenge 2: How to compare A and B securely?
• Idea 1: Have Programmer send B to the IMD and compare A and B on IMD
• An adversary can intercept and replay B
• How to compare A and B without exposing them on unauthenticated channel?
• Ideal 2: Use a Password-Based Key Agreement (PAKE) protocol (e.g.,
[KOY01]) to establish a secure channel between the IMD and Programmer
• PAKEs require A=B, and we have A≈B
• What we need is a fuzzy PAKE
• We could use fuzzy crypto (e.g., JW99, DORS04)
• Incurs entropy loss
• No clear way to integrate into PAKE
• General secure function evaluation too expensive for embedded devices
19
Challenge 2: How to compare A and B securely?
Key observation: Entropy source changes continuously,
so A and B treatable as one-time secrets!
•
•
We can expose A and B at end of protocol
We can use commit / decommit approach
Second observation: We can bootstrap protocol with
unauthenticated secure channel SecChannel
•
In practice, this means TLS without a certificate
20
H2H protocol overview
IMD
Programmer
SecChannel (TLS)s
Read A
CA Commit(A,wA;s)
CA
Read B
CB Commit(B,wB;s)
CB
wA
A ≈ B ???
✔
wB
A ≈ B ???
Prototype implementation: Design choices
•Design objective 1: Minimal power consumption on IMD
•SecChannel: Low exponent RSA-based TLS (e = 216+1) with IMD
as client
•Design objective 2: Stronger security than ordinary 8-digit
(e.g., SecurID) authentication token
•Read n = 15 IPIs (11 to 15 secs.)
•FAR, FRR < 3 x 10-9
•Design objective 3: No hardware modification to existing
IMDs
22
Power-consumption profile
ARM-Cortex M-3 microprocessor
23
Do we really get touch-to-access policy?
•I.e., is skin contact by Programmer required
to read IPIs clearly?
•Photoplethysmography (PPG)
• Subtle changes in skin color due to heart
• Our experiments show it isn’t a viable attack
•Head movements?
•Capacitive sensing?
•Ripley’s-Believe-It-or-Not attack
• EKG can be read via EEG of someone you shake
hands with [BBMG13]
24
A lot more work to do…
•More detailed security analysis
•Remove idealized SecChannel?
•Extract more entropy from EKG for protocol?
•Using H2H with other PVs
• EEG? EMG?
•Sensing attacks against touch-to-access?
25
Conclusions
•Heads of state shouldn’t have to deactivate IMD
features
•Today, though, it’s perhaps prudent to do so
•H2H offers touch-to-access authentication policy
using EKG
•Doesn’t require hardware modification to existing IMDs,
e.g., pacemakers
•IMD authentication is an important and interesting
problem at physical / logical security boundary
26

similar documents