Hackers, keep your hands off my defibrillator!

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://medcitynews.com/2013/09/hackers-keep-your-hands-off-my-defibrillator/

A way to secure implanted devices requires anyone trying to reprogram your
defibrillator to touch you first.

Implanted medical devices like defibrillators and insulin pumps now include
wireless connections to let doctors or technicians update software or
download data—but such improvements could open the door to life-threatening
wireless attacks.

Security researchers have shown that they can surreptitiously reprogram an
implanted defibrillator to stay inactive despite a cardiac emergency,
deliver a 700-volt jolt when not required, or drain its battery.

A solution from researchers at Rice University and the security company RSA
uses a heartbeat reading as a way to confirm that whoever is trying to
reprogram or download data from a device is in direct contact with the
patient and is not a remote hacker. This fix could work, the researchers
say, even in emergency situations where no delay can be tolerated.

Using the new method, a doctor holds a device against the patient’s body,
and takes a direct reading of the heartbeat. The device reads the patient’s
heartbeat and compares it to one relayed in a wireless signal from the
implant, and then confirms that the signals match. The wireless exchange of
the heartbeat signal is encrypted, thwarting any attempt to hijack the
communications during the exchange.

“This addresses a serious problem that has few existing solutions,” says
Shane Clark, a research scientist at BBN Technologies and a former grad
student in the lab of Kevin
Fu<http://www.eecs.umich.edu/eecs/etc/fac/facsearchform.cgi?kevinfu+>,
a leading medical device security researcher who is now at the University
of Michigan (see “Innovators Under 35: Kevin
Fu<http://www2.technologyreview.com/tr35/profile.aspx?trid=760>”).
“Given the unique constraints that implantable medical devices face, it is
important to tailor security approaches specifically for them, and that’s
what this technology does.”

Clark says the solution avoids making things too cumbersome for a doctor or
paramedic to access the device in an emergency. They would not, for
example, need to individually authenticate themselves with a password, for
example, or confirm a patient’s identity. Such traditional approaches “have
the potential to endanger the lives of patients in an emergency situation
where authentication fails,” Clark says.

While various research efforts show that a person’s heartbeat can be used
as a biometric identifier, this one only seeks to ensure that two devices
are listening to the same thing at the same time. A future emergency
responder wouldn’t need to know the identity of a heart-attack victim, for
example, before gaining access and downloading information from the
victim’s implanted device. “The heart is very conveniently producing this
stream of random bits, and we tap into the stream of bits and make sure we
are getting the same signal at the same time,” says Ari
Juels<http://www.emc.com/emc-plus/rsa-labs/staff-associates/ari-juels.htm>,
chief scientist at RSA Laboratories in Cambridge, Massachusetts, and a
co-author of the paper.  (In particular, it simply looks at the pause
between beats to find a match.) “Our approach doesn’t rely on a
registration of a biometric—all it does is check that the signals are
identical.”

But the encryption step is important, he says.  This prevents a theoretical
attacker in, say, a hospital or a battlefield setting from hijacking the
signal in order to issue malicious instructions. In addition, “the fact
that you are reading a random changing symbol means the attacker can’t
profile the heartbeat at one time and use the information later to attack
the device,” he adds.

Right now, doctors or medical device makers will use wireless communication
to update software on the device, and to download information about events
(such as about heart-shocks or the timing of insulin doses issued) without
requiring surgery.

But it’s a system based on trust, says Masoud Rostami, a PhD candidate at
Rice who co-wrote the paper on the heartbeat method. “Unfortunately,
manufacturers have not implemented any security mechanisms in [implanted
medical devices]. They didn’t or couldn’t even use simple passwords, since
they rightfully fear that the password can be lost or stolen.”

Right now, paramedics don’t generally interact with implanted devices. But
in the future, it might be valuable for them to have the ability to
download data from implanted devices in order to diagnose a condition in an
emergency.

However, implementing any changes would take a long time, due to the need
for U.S. Food and Drug Administration approval.  “Given the long product
lifecycles, it would probably take years to reach the market even if a
manufacturer wanted to start implementing it today,” Clark says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.