At the 3rd Usenix Workshop of Health Security and Privacy in Bellevue, Washington, last week, researchers focused their attention on medical devices, and not all of the presentations were about new ways of breaking them.
Among those defending medical devices against future attacks were researchers Cory Cornelius, Jacob Sorber, Ronald Peterson, Joe Skinner, Ryan Halter, and David Kotz, who presented a way in which implantable medical devices (IMD) could be secured to respond only to authorized individuals. Increased authentication is something that has been discussed before, but this group proposed the use of bioimpedance, which authenticates without the need for complicated passwords.
Bioimpedance measures how body tissues oppose a tiny applied alternating current and this method is said to accurately recognize people within a household 90 percent of the time. Previously it was proposed that people wear RFID bracelets or carry a complicated set of passwords to authenticate themselves to the medical device. Bioimpedance is a biometric system that should be much harder for an attacker to spoof.
Their full paper can be found here.
Also at the Usenix conference, another paper suggests that the problem with hacking medical devices is more widespread than just insulin pumps and heart defibrillators. Researchers Nathanael Paul and Tadayoshi Kohno found that many other IMDs face similar risks, especially if the user interfaces are designed with convenience in mind rather than security.
The researchers wrote, “to decrease the complexity of operating an insulin pump infusion system, the control interface display of-ten hides much of the functionality of the device. The more limited display makes the device easier to use, but the patient trusts that certain settings do not change. In order to change the pump’s settings, it is intended that physical possession is needed of the pump remote control or the pump device itself.” The researchers presented to the conference how low-tech hacks could easily change the configuration without the user knowing.
The whole notion of changing the configuration settings of medical devices came to the fore last summer when my colleague Jay Radcliffe drew parallels between the human body and the SCADA industry. At Black Hat 2012 and again at DefCon 19, Radcliffe gave a personal account of his experience of having Type 1 diabetes and how the specific device he used at the time to control his diabetes could be manipulated by “evil doers.” (Radcliffe and the manufacturer have since patched things up.)
The insulin pump replaces the actions of the liver (which secretes sugar) and the pancreas (which secretes insulin). Too much blood sugar can overtax the kidneys and too little blood sugar can shut the body down. Radcliffe equated these bodily processes to industrial SCADA systems which regulate pressure in gas and electric utilities—too much and the system blows, too little and the electrical or water system shuts down.
Radcliffe uses a commercial insulin pump, a device costing about $6,000, that is designed to work for years. Through tubes inserted into his skin, the pump secretes a baseline insulin blast every 3 minutes or so and then sends more at mealtimes. Blood meters wirelessly send measurements to the pumps with a physical range of up to 100 feet.
What he found was his monitor had no verification of the remote signal. Worse, the pump broadcasts its unique ID so he was able to send the device a command that put it into SUSPEND mode (a DoS attack). That meant Radcliffe could overwrite the device configurations to inject more insulin. With insulin, you cannot remove it from the body (unless he drinks a sugary food). The same overwrite of commands would also be possible with pacemakers as well.
To mitigate this attack, he said manufacturers should turn on the crypto that’s available in Bluetooth. Radcliffe also suggests using infrared vs. radio frequency and in the meantime suggested use of RF necklaces that block hostile RF commands. During the Black Hat he said he was contacted by two vendors (neither were the vendor he uses) and both vendors used SSL between the meter and the pump. Radcliffe has since migrated to a newer insulin pump, one he says is more secure.
Hopefully, the research presented at Usenix and other conferences will lead to more secure medical devices. And hopefully more manufacturers will get behind the initiatives to secure their medical devices. But I could see other uses as well. For example, how about bioimedpance authentication for our mobile phones?
Related Reading: Hacking The Human Body SCADA System