Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Similar documents
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

Kevin Fu Assistant Professor Department of Computer Science University of Massachusetts Amherst

An Empirical Study of UHF RFID Performance. Michael Buettner and David Wetherall Presented by Qian (Steve) He CS Prof.

5 TIPS FOR GETTING THE MOST OUT OF Your Function Generator

RFID Integrated Teacher Monitoring

Proximity-based Access Control for Implantable Medical Devices

Chaos Communication Camp Milosch Meriac Henryk Plötz

EE 314 Spring 2003 Microprocessor Systems

Simulation Study for the Decoding of UHF RFID Signals

SEL Serial Radio Transceiver. The industry-recognized standard for reliable, low-latency wireless communications

ROM/UDF CPU I/O I/O I/O RAM

GNU Radio as a Research and Development Tool for RFID Applications

Software Radio and the Future of Wireless Security. Michael Ossmann Institute for Telecommunication Sciences

OEM 100. User Manual. Figure 1: OEM 100 Module with HG Rectangular Antenna Board

MOBILE COMPUTING 2/25/17. What is RFID? RFID. CSE 40814/60814 Spring Radio Frequency IDentification

ULP Wireless Technology for Biosensors and Energy Harvesting

Introduction of USRP and Demos. by Dong Han & Rui Zhu

Communication with FCC s Office of Engineering Technology Regarding ISM Compliance of Power-Optimized Waveforms

Becker Mining Systems

Politecnico di Milano Advanced Network Technologies Laboratory. Radio Frequency Identification

Physics of RFID. Pawel Waszczur McMaster RFID Applications Lab McMaster University

Debugging a Boundary-Scan I 2 C Script Test with the BusPro - I and I2C Exerciser Software: A Case Study

CL4790 USER GUIDE VERSION 3.0. Americas: Europe: Hong Kong:

DATE: 17/08/2006 Issue No 2 e-plate Operation Overview

Politecnico di Milano Advanced Network Technologies Laboratory. Radio Frequency Identification

BPSK_DEMOD. Binary-PSK Demodulator Rev Key Design Features. Block Diagram. Applications. General Description. Generic Parameters

Multi Frequency RFID Read Writer System

Analysis and Simulation of UHF RFID System

College of information Technology Department of Information Networks Telecommunication & Networking I Chapter 5. Analog Transmission

Electronic Access Control Security. Matteo Beccaro HackInTheBox Amsterdam, May 27 th, 2016

Technical Explanation for RFID Systems

EG medlab. Three Lead ECG OEM board. Version Technical Manual. Medlab GmbH Three Lead ECG OEM Module EG01010 User Manual

Eavesdropping Attacks on High-Frequency RFID Tokens

Research on key digital modulation techniques using GNU Radio

Biometric-based Two-level Secure Access Control for Implantable Medical Devices during Emergencies

RF Design Considerations for Passive Entry Systems

RFID ACCESS CONTROL. SRðAN LALE FACULTY OF ELECTRICAL ENGINEERING EASTERN SARAJEVO

Layerone / 2006 RFID Technology, Security & Privacy. Luiz Eduardo Dos Santos, CISSP luiz AT arubanetworks.com

NCD1015ZP 50mm Half Duplex Read-Only RFID Transponder Features Description Applications Ordering Information Part # Description Block Diagram

Definition of RF-ID. Lecture on RF-IDs

2.0 Discussion: 2.1 Approach:

Course Project. Project team forming deadline has passed Project teams will be announced soon Next step: project proposal presentation

A LOW-COST SOFTWARE-DEFINED TELEMETRY RECEIVER

REMOTE TRACKING SOLUTION. User Manual Name. CS-P000-TS-1N-Rev.A This document provides the technical specification SOLUTION.

Image transfer and Software Defined Radio using USRP and GNU Radio

Practical Attacks on Proximity Identification Systems (Short Paper)

RFIC Group Semester and Diploma Projects

So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks

Wireless Technology for Aerospace Applications. June 3 rd, 2012

Final Project Introduction to RFID (Radio Frequency IDentification) Andreas G. Andreou

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

Understanding and Mitigating the Impact of Interference on Networks. By Gulzar Ahmad Sanjay Bhatt Morteza Kheirkhah Adam Kral Jannik Sundø

Why (Special Agent) Johnny (Still) Can t Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System

Wirelessly Powered Sensor Transponder for UHF RFID

Field Software Notice

Preface to the Third Edition. List of Abbreviations

On the Design of Software and Hardware for a WSN Transmitter

Tomasz Włostowski Beams Department Controls Group Hardware and Timing Section. Trigger and RF distribution using White Rabbit

Application Note: IQ Filtering in an RFID Reader Using Anadigm Integrated circuits,

RFID - a basic introduction

AC LAB ECE-D ecestudy.wordpress.com

ORCA-50 Handheld Data Terminal UHF Demo Manual V1.0

Lecture 3 Concepts for the Data Communications and Computer Interconnection

Signal Forge. Signal Forge 1000 TM Synthesized Signal Generator. Flexible Design Enables Testing of RF and Clock-driven Systems.

Single Chip High Performance low Power RF Transceiver (Narrow band solution)

Practical Eavesdropping and Skimming Attacks on High-Frequency RFID Tokens

Design of UHF RFID Emulators with Applications to RFID Testing and Data Transport

SmartRadio Transmitter / Receiver

Overview. Chapter 4. Design Factors. Electromagnetic Spectrum

Characterization of medical devices electromagnetic immunity to environmental RF fields.

Technician License Course Chapter 2. Lesson Plan Module 3 Modulation and Bandwidth

AT-XTR-7020A-4. Multi-Channel Micro Embedded Transceiver Module. Features. Typical Applications

MPR kHz Reader

Intelligent and passive RFID tag for Identification and Sensing

USER'S MANUAL. Model : K

Hacking Sensors. Yongdae Kim

NCD RO HDX Robust 50mm Transponder

Design and Implementation of Digital Stethoscope using TFT Module and Matlab Visualisation Tool

3.6. Cell-Site Equipment. Traffic and Cell Splitting Microcells, Picocelles and Repeaters

Sirindhorn International Institute of Technology Thammasat University

AIR-INTERFACE COMPATIBILITY & ISO-CERTIFICATION

Hacking. Joshua Lackey, Ph.D.

HydroLynx Systems, Inc.

Surviving and Operating Through GPS Denial and Deception Attack. Nathan Shults Kiewit Engineering Group Aaron Fansler AMPEX Intelligent Systems

INTEGRATED CIRCUITS. MF RC500 Active Antenna Concept. March Revision 1.0 PUBLIC. Philips Semiconductors

TC-3000C Bluetooth Tester

Ultra Wideband Sensor Network for Industrial IoT

CH 4. Air Interface of the IS-95A CDMA System

CH 5. Air Interface of the IS-95A CDMA System

Feasibility and Benefits of Passive RFID Wake-up Radios for Wireless Sensor Networks

PGT313 Digital Communication Technology. Lab 3. Quadrature Phase Shift Keying (QPSK) and 8-Phase Shift Keying (8-PSK)

Testing Motorola P25 Conventional Radios Using the R8000 Communications System Analyzer

St. Jude Medical: Enhanced MICS (emics) A Thesis. presented to. the Faculty of Biomedical/General Engineering Department,

Student Seminars: Kickoff

Ness M1RF Wireless Receiver

Digital Audio Broadcasting Eureka-147. Minimum Requirements for Terrestrial DAB Transmitters

PHYTER 100 Base-TX Reference Clock Jitter Tolerance

RFID HANDBOOK THIRD EDITION

Wireless Network Security Spring 2016

Passive High-Function RFID: Sensors and Bi-Stable Displays

Transcription:

Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses A CSE 713 Presentation Harish Shankar, Ranjan Mohan.

Heads Up! Through this presentation, there will be notations in short hand : ICD IMD GNU RB DPSK FSK MICS USRP - Implantable Cardioverter Defibrillator Implantable Medical Devices GNU Radio Blocks Differential Binary Phase Shift Keying Frequency Shift Keying Medical Implant Communications Universal Software Radio Peripheral

A Brief Introduction IMDs are man-made devices which are designed to replace or support biological structures like Pacemakers, ICDs, implantable drug pumps etc. This presentation focuses on : identifying the security and privacy vulnerabilities of a particular model of the ICD Proposing zero power solutions to the identified weaknesses.

Pacemakers A pacemaker is a small device that s placed under the skin of your chest or abdomen to help control abnormal heart rhythms. This device uses electrical pulses to prompt the heart to beat at a normal rate. Pacemakers are used to treat heart rhythms that are too slow, fast, or irregular.

If we are implanting some device into a person, we need to have some means of ensuring that the device is working and safe. Below, is a basic kit that uses radio transmission to get a feedback on the status of the device.

Implantable Cardioverter Defibrillators An ICD works in a similar fashion as a pacemaker. ICD continually monitors heart rhythm. Sends low-energy pulses to restore heart rhythm, but switch to high-energy pulses when the low-energy shocks are ineffective A healthcare practitioner can use an external programmer to : Perform diagnostics, Read/write private data Adjust Private settings.

Related Work and the contributions specific to this study Past research has focused on 1. Unintentional failures 2. Survey on a wide range of IMD related issues 3. Cryptographic operations like - Authentication by human sensory input - Short range plain-text key exchange This study focuses on 1. Intentional attacks 2. Patient Notification on cryptographic operations 3. Zero power defenses 4. Key exchange over an acoustic channel rather than an electrical channel

How does Wireless Security come into play? Analyzing the ICD and its working, we can show that there are 2 key components that can be compromised : Magnetic Switch The switch is key in initiating the ICD to transmit telemetry data such as electrocardiogram readings. Wireless Communication System Most devices make use of the 175 khz band (Short range) to communicate with the external programmer. Newer ICDs use 402 405 MHz Medical Implants Communication band (MICS) as well.

Different attack strategies possible An adversary with a commercial ICD programmer A passive adversary who eavesdrops on communications between the ICD and a commercial programmer. An active adversary who extends the passive adversary with the ability to generate arbitrary RF traffic, not necessarily conforming to the expected modulation Schemes or FCC regulations.

Reverse Engineering Transmissions With the help of an Oscilloscope, it is possible to trivially identify transmissions from the ICD and the ICD Programmer. The oscilloscope couldn't be used for the complete eavesdrop duration as it had a limitation in terms of storage (8s) The full fledged eavesdropper was built using the Universal Software Radio Peripheral (USRP) in coherence with the GNU Libraries in C and Python. Reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. In this case, the oscilloscope allows us to collect the data being used in communication to analyze how it works.

Observations made from the Oscilloscope From the obtained traces, it was observed that: ICD and programmer share the same encoding scheme. ICD used a Differential Binary Phase Shift Keying Modulation (DPSK) scheme Programmer used a Binary Frequency Shift Keying Modulation (BFSK) scheme

In the figure, components from left to right: eavesdropping antenna, an ICD, transmitting antenna (mounted on cardboard), and a USRP with a BasicTX card attached.

Eavesdropping with a Commodity Software Radio Steps Involved: Establishing a transaction timeline: One of the key part of this event is to establish where and when to eavesdrop. From the flow of communication, it is possible to narrow down the ideal window or time frame to eavesdrop.

Interaction between the ICD and Programmer Notice how an exchange of the ID and Model number exists as part of the data exchange, this was introduced so as to ensure only coupled devices could communicate with each other.

Inspection using GNU Radio Blocks: A GNU RB is used to inspect the signals obtained from the narrowed down timeline, by translating the DSP blocks into an information flow graph Packetize the bitstreams Identify patterns in the packets of data (packet limiters and delimiters)

Intercepting the patient data: Patient data being transmitted is easily decipherable No cryptographic techniques used to encrypt the data exchanged, ie. upon intercepting, the data is already available in plain-text. Intercepting the telemetry data: The ICD begins transmission of data with a magnetic trigger. Implies, any magnet of sufficient strength could make the ICD initiate the telemetry signals.

Replay Attacks using a Commodity Software Radio Basic Idea is to set the ICD to an unknown state and replay the desired transmission over a loop for a brief period of time.

Possible Replay Attacks Triggering ICD identification: A 1.5-second replay of the auto-identification trace recorded from the programmer. As the auto-identification command is the first set of packets sent by a programmer in a normal session, no prior synchronization would be required. Disclosing patient data: Following the auto-identification stage, the ICD needs to send information such as patient data to the programmer. This means, Upon initiating a replay with auto-identification, the programmer could request for patient data from the ICD.

Changing patient details: Replay traces where the programmer changes the patient name and other details stored in the ICD. The replay usually is repeated many times to ensure that the intended attack is effective. Setting the ICD s clock : The ICD s clock allows it to record timestamps in its event log and can be set from a menu on the programmer. Modifying Therapies : Therapies are the ICD s responses to cardiac events. A programmer can be used to enable and personalize therapies for an individual's medical needs or to disable the device s lifesaving functions.

Denial of Service Attacks: The ICD could be forced to remain in a mode in which it continually engages in wireless communications. This would mean that it would be incapable of catering to the functionality required of it at a life threatening time. Induced fibrillation : The programmer s user interface provides safeguards to make it difficult for a physician to accidentally issue a command shock when the ICD s therapies are disabled. A successful replay attack would allow an adversary to bypass the programmer using a software radio and could circumvent these safeguards

USRP Setup Single board FPGA with swappable interface cards. USRP records signals in a format interconvertible with the oscilloscope. Sampling rate upto 8 MHz Sampling Rate used : 500 khz

Observations made from the USRP On analysis of captured trace and using the trivial identification of the modulation schemes from the oscilloscope analysis: Programmer uses BFSK 150 khz and 200 khz ICD uses DPSK with bit stuffing Encoding Scheme Non-Return-to-Zero (NRZI) End of Frame Delimiters

Frequency Shift Modulation (FSK) Different states are represented by different frequencies. 1 is represented by 200 khz 0 is represented by 150 khz

Differential Phase Shift Keying (DPSK) Change of phase for 1 Retain same phase for 0

Zero Power Authentication Simple Challenge-response protocol based on RC5. The model is as follows: All commercial programmers know a master key Km Each IMD has a unique serial number I and a key K=f(Km,I) where f is a cryptographically strong pseudo random function. The programmer transmits an authentication request to WISP WISP responds with its identity I and a nonce N The programmer computes K to get the IMD specific key and returns a response R = RC5(K,N) The WISP computes the same value and verifies it with R. And if authentication was successful, it will notify the IMD through a GPIO Pin.

Observations made from the USRP On further analysis, it was evident that the communication was in plaintext. The following fields were identified: Frame Delimiters Patient's Name Date of Birth Medical ID Number Name and phone number of treating physician Model and serial number of ICD And more!

Proposed Counter-measure WISPer Zero power wireless notification Postage stamp sized RFID Circuit TI MSP430F1232 Microcontroller 256 bytes RAM 8KB Storage Audible alerts generated through a piezo-element Harvests energy from a 915 MHz RF Signal generated by Alien ALR9640 nanoscanner a UHF RFID Card Reader. Implements simple challenge-response protocol.

Zero Power Authentication Simple Challenge-response protocol based on RC5. The model is as follows: All commercial programmers know a master key Km Each IMD has a unique serial number I and a key K=f(Km,I) where f is a cryptographically strong pseudo random function. The programmer transmits an authentication request to WISP WISP responds with its identity I and a nonce N The programmer computes K to get the IMD specific key and returns a response R = RC5(K,N) The WISP computes the same value and verifies it with R. And if authentication was successful, it will notify the IMD through a GPIO Pin.

Zero Power Sensible Key Exchange Programmer initiates this protocol by supplying an unmodulated RF Carrier signal which powers the passive component of the IMD IMD generates random session key and broadcasts it as a modulated sound wave This signal can be demodulated by placing a microphone in close proximity to the IMD. This signal is not audible at an appreciable distance over background noise

Evaluation of Wisper Sound Pressure Level (SPL) was measured using a sound level meter Reference value 20 micropascals Initial Tests: Buzzing Volume at a distance of 1m : 67 db SPL Normal Conversation : 60 db SPL Vacuum Cleaner at a distance of 3m : 70 db SPL Then WISPer was implanted 1cm beneath bacon with 4cm of ground beef packed under it. The observed sound at the surface of the tissue : 84 db SPL

Cryptographic techniques including encryption and key management are solely dependent on the model specifics. For the key exchange mechanism, FSK modulation with a baud rate of 310 Bd, 128 bit nonce was used. It performed key exchange without external supply and the signal was measured at 75 db SPL through a human hand Noise emitted by the electrical components can be reduced by radio shielding or using optical links between security sensitive modules.

Conclusion ICDs are : Potentially susceptible to malicious attacks that violate the privacy of the patient's information. May experience malicious alteration to the integrity of information or state of device The proposed 3 solutions counter the above stated problems in an power effective way Zero Power Authentication Zero Power Notification Zero Power Key Exchange

References D. Halperin, T. S. Heydt-Benjamin, B. Ransford, S. S. Clark, B. Defend, W. Morgan, K. Fu, T.Kohmo, and W. H. Maisel. Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses in IEEE Symposium on Security and Privacy, Oakland, CA, 2008, pp. 129-142. https://en.wikipedia.org/wiki/phase-shift_keying#differential_phase-shift_keying_. 28DPSK.29 https://en.wikipedia.org/wiki/frequency-shift_keying

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback